This PR addresses 5 TODO-like items found in the codebase that represented incomplete configurations, commented-out features, or areas needing better documentation.

Changes Made

1. GitHub Workflows - Configurable Verbose Mode

Previously, the verbose: 3 setting was commented out in both workflow files:

#          verbose: 3

Now it's configurable based on the existing ENABLE_DEBUG variable:

verbose: ${{ env.ENABLE_DEBUG == 'true' && 3 || 0 }}

This allows verbose output when debugging is enabled without requiring manual code changes.

2. Chrony Configuration - Configurable RTC File

The rtcfile directive was commented out due to potential hardware compatibility issues:

# rtcfile /var/lib/chrony/chrony.rtc

Added new configuration variables to make this configurable:

rhel9cis_chrony_server_rtcfile_enable: false
rhel9cis_chrony_server_rtcfile_path: "/var/lib/chrony/chrony.rtc"

The template now conditionally includes the directive based on the enable flag, with clear documentation about the risks.

3. SSH Configuration - Enhanced Documentation

Replaced a generic warning comment with comprehensive documentation:

Before:

# WARNING: make sure you understand the precedence when working with these values!!

After:

# SSH Access Control Configuration
# IMPORTANT: These directives are processed in the order: DenyUsers, AllowUsers, DenyGroups, AllowGroups
# First match wins, so be careful with precedence!
# 
# Examples:
# allowusers: "user1 user2 [email protected]/8"
# allowgroups: "wheel sysadmin"

4. Repository GPG Check - Explicit Documentation

Enhanced documentation across OS-specific variable files to explain why repo_gpgcheck is disabled:

Before:

# disable repo_gpgcheck due to OS default repos

After:

# Repository GPG checking is disabled for [OS Name]
# This is due to the OS default repositories not having proper GPG signatures configured
# CIS 1.2.4 requires repo_gpgcheck=1, but this conflicts with [OS] default repos
# Set to true only if you have properly configured GPG keys for all repositories

5. Tmp Filesystem Settings - Enable Commented Variable

Uncommented the rhel9cis_tmp_tmpfs_settings variable that was previously disabled:

Before:

# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"

After:

rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"

With improved documentation explaining its purpose and CIS compliance requirements.

Impact

• Backward Compatibility: All changes maintain full backward compatibility
• Configuration Flexibility: Users now have more granular control over previously hard-coded or commented settings
• Documentation: Clearer guidance reduces configuration errors and improves user experience
• Code Quality: Eliminates commented-out code in favor of proper configuration options

All changes have been validated with yamllint and follow the existing code style and patterns.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.