infra-run/ansible/roles/cis-rhel9-hardening/tasks/postcheck.yml

---
- name: Validate sshd effective configuration syntax
  ansible.builtin.command: sshd -t
  register: cis_sshd_validate
  changed_when: false
  check_mode: false

- name: Read sysctl values for validation
  ansible.builtin.command: "sysctl -n {{ item.key }}"
  loop: "{{ cis_sysctl_settings | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  register: cis_sysctl_validation
  changed_when: false
  failed_when: false
  check_mode: false
  when: cis_enable_sysctl_hardening | bool

- name: Gather final service facts
  ansible.builtin.service_facts:

- name: Build service state summary
  ansible.builtin.set_fact:
    cis_service_state_summary:
      chronyd: "{{ ansible_facts.services['chronyd.service'].state | default('not-found') }}"
      auditd: "{{ ansible_facts.services['auditd.service'].state | default('not-found') }}"
      rsyslog: "{{ ansible_facts.services['rsyslog.service'].state | default('not-found') }}"

- name: Build sysctl validation summary
  ansible.builtin.set_fact:
    cis_sysctl_validation_summary: >-
      {{ cis_sysctl_validation_summary | default({})
      | combine({item.item.key: item.stdout | default('unreadable')}) }}
  loop: "{{ cis_sysctl_validation.results | default([]) }}"
  loop_control:
    label: "{{ item.item.key }}"
  when: cis_enable_sysctl_hardening | bool

- name: Build mount option change summary
  ansible.builtin.set_fact:
    cis_mount_option_summary: >-
      {{
        cis_mount_option_results.results
        | default([])
        | selectattr('changed', 'defined')
        | selectattr('changed')
        | map(attribute='item.path')
        | list
      }}

- name: Publish validation summary
  ansible.builtin.set_fact:
    cis_validation_summary:
      benchmark: "CIS RHEL 9 Benchmark {{ cis_benchmark_version }} inspired controls"
      sshd_config: "{{ 'OK' if cis_sshd_validate.rc == 0 else 'CRITICAL' }}"
      services: "{{ cis_service_state_summary }}"
      sysctl: "{{ cis_sysctl_validation_summary | default({}) }}"
      mount_option_updates: "{{ cis_mount_option_summary | default([]) }}"
      applied_controls:
        - ssh
        - packages
        - sysctl
        - services
        - audit
        - sudo
        - logging
        - filesystem

- name: Show service states
  ansible.builtin.debug:
    var: cis_service_state_summary

- name: Show changed mount options
  ansible.builtin.debug:
    msg: >-
      {{ cis_mount_option_summary | default([]) if cis_mount_option_summary | default([]) | length > 0
         else 'OK: No mount option changes were applied.' }}

- name: Show applied control summary
  ansible.builtin.debug:
    var: cis_validation_summary
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00			`---`
			`- name: Validate sshd effective configuration syntax`
			`ansible.builtin.command: sshd -t`
			`register: cis_sshd_validate`
			`changed_when: false`
			`check_mode: false`

			`- name: Read sysctl values for validation`
			`ansible.builtin.command: "sysctl -n {{ item.key }}"`
			`loop: "{{ cis_sysctl_settings \| dict2items }}"`
			`loop_control:`
			`label: "{{ item.key }}"`
			`register: cis_sysctl_validation`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`when: cis_enable_sysctl_hardening \| bool`

			`- name: Gather final service facts`
			`ansible.builtin.service_facts:`

			`- name: Build service state summary`
			`ansible.builtin.set_fact:`
			`cis_service_state_summary:`
			`chronyd: "{{ ansible_facts.services['chronyd.service'].state \| default('not-found') }}"`
			`auditd: "{{ ansible_facts.services['auditd.service'].state \| default('not-found') }}"`
			`rsyslog: "{{ ansible_facts.services['rsyslog.service'].state \| default('not-found') }}"`

			`- name: Build sysctl validation summary`
			`ansible.builtin.set_fact:`
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`cis_sysctl_validation_summary: >-`
			`{{ cis_sysctl_validation_summary \| default({})`
			`\| combine({item.item.key: item.stdout \| default('unreadable')}) }}`
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00			`loop: "{{ cis_sysctl_validation.results \| default([]) }}"`
			`loop_control:`
			`label: "{{ item.item.key }}"`
			`when: cis_enable_sysctl_hardening \| bool`

			`- name: Build mount option change summary`
			`ansible.builtin.set_fact:`
			`cis_mount_option_summary: >-`
			`{{`
			`cis_mount_option_results.results`
			`\| default([])`
			`\| selectattr('changed', 'defined')`
			`\| selectattr('changed')`
			`\| map(attribute='item.path')`
			`\| list`
			`}}`

			`- name: Publish validation summary`
			`ansible.builtin.set_fact:`
			`cis_validation_summary:`
			`benchmark: "CIS RHEL 9 Benchmark {{ cis_benchmark_version }} inspired controls"`
			`sshd_config: "{{ 'OK' if cis_sshd_validate.rc == 0 else 'CRITICAL' }}"`
			`services: "{{ cis_service_state_summary }}"`
			`sysctl: "{{ cis_sysctl_validation_summary \| default({}) }}"`
			`mount_option_updates: "{{ cis_mount_option_summary \| default([]) }}"`
			`applied_controls:`
			`- ssh`
			`- packages`
			`- sysctl`
			`- services`
			`- audit`
			`- sudo`
			`- logging`
			`- filesystem`

			`- name: Show service states`
			`ansible.builtin.debug:`
			`var: cis_service_state_summary`

			`- name: Show changed mount options`
			`ansible.builtin.debug:`
			`msg: >-`
			`{{ cis_mount_option_summary \| default([]) if cis_mount_option_summary \| default([]) \| length > 0`
			`else 'OK: No mount option changes were applied.' }}`

			`- name: Show applied control summary`
			`ansible.builtin.debug:`
			`var: cis_validation_summary`