Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-debian-ubuntu-hardening/tasks/precheck.yml

@@ -0,0 +1,73 @@
+---
+- name: Determine root filesystem free space
+  ansible.builtin.set_fact:
+    cis_root_mount: "{{ ansible_mounts | selectattr('mount', 'equalto', '/') | list | first | default({}) }}"
+
+- name: Calculate root filesystem free space in MB
+  ansible.builtin.set_fact:
+    cis_root_free_mb: "{{ ((cis_root_mount.size_available | default(0) | int) / 1024 / 1024) | round(0, 'floor') | int }}"
+
+- name: Detect containerized runtime
+  ansible.builtin.set_fact:
+    cis_container_detected: >-
+      {{
+        ansible_virtualization_type | default('') in cis_container_virtualization_types
+        or ansible_env.container | default('') | length > 0
+      }}
+
+- name: Check for apt
+  ansible.builtin.stat:
+    path: /usr/bin/apt-get
+  register: cis_apt_check
+
+- name: Report platform precheck status
+  ansible.builtin.debug:
+    msg:
+      - "OK: Facts gathered for {{ ansible_distribution }} {{ ansible_distribution_version }}."
+      - "OK: Root filesystem free space is {{ cis_root_free_mb }} MB."
+      - >-
+        {{ 'OK: apt package manager detected.'
+           if cis_apt_check.stat.exists else 'CRITICAL: apt package manager was not found.' }}
+      - >-
+        {{ 'OK: systemd service manager detected.'
+           if ansible_service_mgr == 'systemd' else 'CRITICAL: systemd service manager is required.' }}
+      - >-
+        {{ 'WARNING: Containerized environment detected; service and kernel controls may be limited.'
+           if cis_container_detected else 'OK: No containerized runtime detected from Ansible facts.' }}
+
+- name: Fail when operating system is unsupported
+  ansible.builtin.assert:
+    that:
+      - >-
+        (ansible_distribution == 'Debian'
+        and ansible_distribution_major_version == cis_supported_debian_major_version)
+        or
+        (ansible_distribution == 'Ubuntu'
+        and ansible_distribution_version is version(cis_supported_ubuntu_version, '=='))
+    fail_msg: >-
+      CRITICAL: This role supports only Debian 13 / Trixie and Ubuntu Server 26.04 LTS.
+      Detected {{ ansible_distribution }} {{ ansible_distribution_version }}.
+    success_msg: "OK: Supported Debian/Ubuntu platform detected."
+
+- name: Fail when systemd is unavailable
+  ansible.builtin.assert:
+    that:
+      - ansible_service_mgr == 'systemd'
+    fail_msg: "CRITICAL: systemd is required for this operational hardening role."
+    success_msg: "OK: systemd is available."
+
+- name: Fail when apt is unavailable
+  ansible.builtin.assert:
+    that:
+      - cis_apt_check.stat.exists
+    fail_msg: "CRITICAL: apt-get is required for this Debian/Ubuntu hardening role."
+    success_msg: "OK: apt-get is available."
+
+- name: Fail when root filesystem free space is below safety threshold
+  ansible.builtin.assert:
+    that:
+      - cis_root_free_mb | int >= cis_min_root_free_mb | int
+    fail_msg: >-
+      CRITICAL: Root filesystem has {{ cis_root_free_mb }} MB free.
+      Minimum required free space is {{ cis_min_root_free_mb }} MB.
+    success_msg: "OK: Root filesystem free space meets the safety threshold."