Improve infra-run portfolio credibility

2026-05-08 21:18:22 +00:00
parent deb12a0b4f
commit ca5a876d03
87 changed files with 462 additions and 531 deletions
@@ -37,12 +37,16 @@
  ansible.builtin.set_fact:
    cis_package_validation_summary:
      legacy_absent: "{{ cis_legacy_packages | difference(ansible_facts.packages.keys() | list) }}"
-      hardening_present: "{{ (cis_enabled_hardening_packages | default(cis_hardening_packages)) | intersect(ansible_facts.packages.keys() | list) }}"
+      hardening_present: >-
+        {{ (cis_enabled_hardening_packages | default(cis_hardening_packages))
+        | intersect(ansible_facts.packages.keys() | list) }}
      audit_present: "{{ cis_audit_packages | intersect(ansible_facts.packages.keys() | list) }}"

 - name: Build sysctl validation summary
  ansible.builtin.set_fact:
-    cis_sysctl_validation_summary: "{{ cis_sysctl_validation_summary | default({}) | combine({item.item.key: item.stdout | default('unreadable')}) }}"
+    cis_sysctl_validation_summary: >-
+      {{ cis_sysctl_validation_summary | default({})
+      | combine({item.item.key: item.stdout | default('unreadable')}) }}
  loop: "{{ cis_sysctl_validation.results | default([]) }}"
  loop_control:
    label: "{{ item.item.key }}"
@@ -65,7 +69,7 @@
 - name: Publish validation summary
  ansible.builtin.set_fact:
    cis_validation_summary:
-      benchmark: "CIS-inspired controls for Debian 13 Trixie and Ubuntu Server 26.04 LTS"
+      benchmark: "selected controls for Debian 13 Trixie and Ubuntu Server 26.04 LTS"
      sshd_config: "{{ 'OK' if cis_sshd_validate.rc == 0 else 'CRITICAL' }}"
      services: "{{ cis_service_state_summary }}"
      packages: "{{ cis_package_validation_summary }}"
@@ -33,7 +33,6 @@
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^PermitRootLogin\s+'
    line: "PermitRootLogin {{ 'no' if cis_disable_root_login | bool else 'prohibit-password' }}"
-    validate: sshd -t -f %s
  notify:
    - validate ssh
    - restart ssh
@@ -43,7 +42,6 @@
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^PermitEmptyPasswords\s+'
    line: "PermitEmptyPasswords no"
-    validate: sshd -t -f %s
  notify:
    - validate ssh
    - restart ssh
@@ -53,7 +51,6 @@
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^PasswordAuthentication\s+'
    line: "PasswordAuthentication {{ 'no' if cis_disable_password_auth | bool else 'yes' }}"
-    validate: sshd -t -f %s
  notify:
    - validate ssh
    - restart ssh
@@ -63,7 +60,6 @@
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^MaxAuthTries\s+'
    line: "MaxAuthTries {{ cis_ssh_max_auth_tries }}"
-    validate: sshd -t -f %s
  notify:
    - validate ssh
    - restart ssh
@@ -73,7 +69,6 @@
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^LoginGraceTime\s+'
    line: "LoginGraceTime {{ cis_ssh_login_grace_time }}"
-    validate: sshd -t -f %s
  notify:
    - validate ssh
    - restart ssh
@@ -83,7 +78,6 @@
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^ClientAliveInterval\s+'
    line: "ClientAliveInterval {{ cis_ssh_client_alive_interval }}"
-    validate: sshd -t -f %s
  notify:
    - validate ssh
    - restart ssh
@@ -93,7 +87,6 @@
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^ClientAliveCountMax\s+'
    line: "ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}"
-    validate: sshd -t -f %s
  notify:
    - validate ssh
    - restart ssh
@@ -1,5 +1,5 @@
 ---
- name: Apply CIS-inspired sysctl settings
+- name: Apply selected sysctl settings
  ansible.posix.sysctl:
    name: "{{ item.key }}"
    value: "{{ item.value }}"