Add RHEL 9 CIS-inspired hardening playbook

infra-run/ansible/inventory/group_vars/all.yml

@@ -0,0 +1,18 @@
+---
+timezone: UTC
+
+cis_ntp_servers:
+  - 0.rhel.pool.ntp.org
+  - 1.rhel.pool.ntp.org
+  - 2.rhel.pool.ntp.org
+  - 3.rhel.pool.ntp.org
+
+# Operational defaults. Override per run with --extra-vars or inventory when needed.
+cis_disable_root_login: true
+cis_disable_password_auth: false
+cis_install_auditd: true
+cis_enable_chrony: true
+cis_enable_rsyslog: true
+cis_remove_legacy_packages: true
+cis_enable_sysctl_hardening: true
+cis_manage_mount_options: false