infra-run/ansible/roles/cis-debian-ubuntu-hardening/tasks/postcheck.yml

---
- name: Validate ssh effective configuration syntax
  ansible.builtin.command: sshd -t
  register: cis_sshd_validate
  changed_when: false
  check_mode: false

- name: Read sysctl values for validation
  ansible.builtin.command: "sysctl -n {{ item.key }}"
  loop: "{{ cis_sysctl_settings | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  register: cis_sysctl_validation
  changed_when: false
  failed_when: false
  check_mode: false
  when:
    - cis_enable_sysctl_hardening | bool
    - not cis_container_detected | default(false) | bool

- name: Gather installed package facts
  ansible.builtin.package_facts:
    manager: auto

- name: Gather final service facts
  ansible.builtin.service_facts:

- name: Build service state summary
  ansible.builtin.set_fact:
    cis_service_state_summary:
      ssh: "{{ ansible_facts.services['ssh.service'].state | default('not-found') }}"
      chrony: "{{ ansible_facts.services['chrony.service'].state | default('not-found') }}"
      auditd: "{{ ansible_facts.services['auditd.service'].state | default('not-found') }}"
      rsyslog: "{{ ansible_facts.services['rsyslog.service'].state | default('not-found') }}"

- name: Build package validation summary
  ansible.builtin.set_fact:
    cis_package_validation_summary:
      legacy_absent: "{{ cis_legacy_packages | difference(ansible_facts.packages.keys() | list) }}"
      hardening_present: >-
        {{ (cis_enabled_hardening_packages | default(cis_hardening_packages))
        | intersect(ansible_facts.packages.keys() | list) }}
      audit_present: "{{ cis_audit_packages | intersect(ansible_facts.packages.keys() | list) }}"

- name: Build sysctl validation summary
  ansible.builtin.set_fact:
    cis_sysctl_validation_summary: >-
      {{ cis_sysctl_validation_summary | default({})
      | combine({item.item.key: item.stdout | default('unreadable')}) }}
  loop: "{{ cis_sysctl_validation.results | default([]) }}"
  loop_control:
    label: "{{ item.item.key }}"
  when:
    - cis_enable_sysctl_hardening | bool
    - not cis_container_detected | default(false) | bool

- name: Build mount option change summary
  ansible.builtin.set_fact:
    cis_mount_option_summary: >-
      {{
        cis_mount_option_results.results
        | default([])
        | selectattr('changed', 'defined')
        | selectattr('changed')
        | map(attribute='item.path')
        | list
      }}

- name: Publish validation summary
  ansible.builtin.set_fact:
    cis_validation_summary:
      benchmark: "selected controls for Debian 13 Trixie and Ubuntu Server 26.04 LTS"
      sshd_config: "{{ 'OK' if cis_sshd_validate.rc == 0 else 'CRITICAL' }}"
      services: "{{ cis_service_state_summary }}"
      packages: "{{ cis_package_validation_summary }}"
      sysctl: "{{ cis_sysctl_validation_summary | default({}) }}"
      mount_option_updates: "{{ cis_mount_option_summary | default([]) }}"
      audit_rules_managed: "{{ cis_manage_audit_rules | bool }}"
      applied_controls:
        - ssh
        - packages
        - sysctl
        - services
        - audit
        - sudo
        - logging
        - filesystem

- name: Show service states
  ansible.builtin.debug:
    var: cis_service_state_summary

- name: Show package validation
  ansible.builtin.debug:
    var: cis_package_validation_summary

- name: Show changed mount options
  ansible.builtin.debug:
    msg: >-
      {{ cis_mount_option_summary | default([]) if cis_mount_option_summary | default([]) | length > 0
         else 'OK: No mount option changes were applied.' }}

- name: Show applied control summary
  ansible.builtin.debug:
    var: cis_validation_summary
Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook 2026-05-06 08:56:45 +00:00			`---`
			`- name: Validate ssh effective configuration syntax`
			`ansible.builtin.command: sshd -t`
			`register: cis_sshd_validate`
			`changed_when: false`
			`check_mode: false`

			`- name: Read sysctl values for validation`
			`ansible.builtin.command: "sysctl -n {{ item.key }}"`
			`loop: "{{ cis_sysctl_settings \| dict2items }}"`
			`loop_control:`
			`label: "{{ item.key }}"`
			`register: cis_sysctl_validation`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`when:`
			`- cis_enable_sysctl_hardening \| bool`
			`- not cis_container_detected \| default(false) \| bool`

			`- name: Gather installed package facts`
			`ansible.builtin.package_facts:`
			`manager: auto`

			`- name: Gather final service facts`
			`ansible.builtin.service_facts:`

			`- name: Build service state summary`
			`ansible.builtin.set_fact:`
			`cis_service_state_summary:`
			`ssh: "{{ ansible_facts.services['ssh.service'].state \| default('not-found') }}"`
			`chrony: "{{ ansible_facts.services['chrony.service'].state \| default('not-found') }}"`
			`auditd: "{{ ansible_facts.services['auditd.service'].state \| default('not-found') }}"`
			`rsyslog: "{{ ansible_facts.services['rsyslog.service'].state \| default('not-found') }}"`

			`- name: Build package validation summary`
			`ansible.builtin.set_fact:`
			`cis_package_validation_summary:`
			`legacy_absent: "{{ cis_legacy_packages \| difference(ansible_facts.packages.keys() \| list) }}"`
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`hardening_present: >-`
			`{{ (cis_enabled_hardening_packages \| default(cis_hardening_packages))`
			`\| intersect(ansible_facts.packages.keys() \| list) }}`
Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook 2026-05-06 08:56:45 +00:00			`audit_present: "{{ cis_audit_packages \| intersect(ansible_facts.packages.keys() \| list) }}"`

			`- name: Build sysctl validation summary`
			`ansible.builtin.set_fact:`
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`cis_sysctl_validation_summary: >-`
			`{{ cis_sysctl_validation_summary \| default({})`
			`\| combine({item.item.key: item.stdout \| default('unreadable')}) }}`
Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook 2026-05-06 08:56:45 +00:00			`loop: "{{ cis_sysctl_validation.results \| default([]) }}"`
			`loop_control:`
			`label: "{{ item.item.key }}"`
			`when:`
			`- cis_enable_sysctl_hardening \| bool`
			`- not cis_container_detected \| default(false) \| bool`

			`- name: Build mount option change summary`
			`ansible.builtin.set_fact:`
			`cis_mount_option_summary: >-`
			`{{`
			`cis_mount_option_results.results`
			`\| default([])`
			`\| selectattr('changed', 'defined')`
			`\| selectattr('changed')`
			`\| map(attribute='item.path')`
			`\| list`
			`}}`

			`- name: Publish validation summary`
			`ansible.builtin.set_fact:`
			`cis_validation_summary:`
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`benchmark: "selected controls for Debian 13 Trixie and Ubuntu Server 26.04 LTS"`
Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook 2026-05-06 08:56:45 +00:00			`sshd_config: "{{ 'OK' if cis_sshd_validate.rc == 0 else 'CRITICAL' }}"`
			`services: "{{ cis_service_state_summary }}"`
			`packages: "{{ cis_package_validation_summary }}"`
			`sysctl: "{{ cis_sysctl_validation_summary \| default({}) }}"`
			`mount_option_updates: "{{ cis_mount_option_summary \| default([]) }}"`
			`audit_rules_managed: "{{ cis_manage_audit_rules \| bool }}"`
			`applied_controls:`
			`- ssh`
			`- packages`
			`- sysctl`
			`- services`
			`- audit`
			`- sudo`
			`- logging`
			`- filesystem`

			`- name: Show service states`
			`ansible.builtin.debug:`
			`var: cis_service_state_summary`

			`- name: Show package validation`
			`ansible.builtin.debug:`
			`var: cis_package_validation_summary`

			`- name: Show changed mount options`
			`ansible.builtin.debug:`
			`msg: >-`
			`{{ cis_mount_option_summary \| default([]) if cis_mount_option_summary \| default([]) \| length > 0`
			`else 'OK: No mount option changes were applied.' }}`

			`- name: Show applied control summary`
			`ansible.builtin.debug:`
			`var: cis_validation_summary`