diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa8..931f520c 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -121,7 +121,7 @@ inventory: .github/workflows/github_linux_IaC/hosts.yml galaxy_file: collections/requirements.yml private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 + verbose: ${{ env.ENABLE_DEBUG == 'true' && 3 || 0 }} env: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d90..33ce0c4c 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -110,7 +110,7 @@ inventory: .github/workflows/github_linux_IaC/hosts.yml galaxy_file: collections/requirements.yml private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 + verbose: ${{ env.ENABLE_DEBUG == 'true' && 3 || 0 }} env: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" diff --git a/defaults/main.yml b/defaults/main.yml index ff21216b..389d379d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -374,7 +374,8 @@ rhel9cis_rule_6_2_16: true #### 1.1.2 # These settings go into the /etc/fstab file for the /tmp mount settings # The value must contain nosuid,nodev,noexec to conform to CIS standards -# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" +# Uncomment and modify as needed for your environment +rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" # If set true uses the tmp.mount service else using fstab configuration rhel9cis_tmp_svc: false @@ -452,6 +453,9 @@ rhel9cis_chrony_server_options: "minpoll 8" rhel9cis_chrony_server_rtcsync: false rhel9cis_chrony_server_makestep: "1.0 3" rhel9cis_chrony_server_minsources: 2 +# Enable rtcfile directive (disabled by default due to potential lockup issues on some motherboards/kernels) +rhel9cis_chrony_server_rtcfile_enable: false +rhel9cis_chrony_server_rtcfile_path: "/var/lib/chrony/chrony.rtc" ### 2.2 Special Purposes ##### Service configuration booleans set true to keep service @@ -596,9 +600,19 @@ rhel9cis_sshd: clientalivecountmax: 0 clientaliveinterval: 900 logingracetime: 60 - # WARNING: make sure you understand the precedence when working with these values!! + # SSH Access Control Configuration + # IMPORTANT: These directives are processed in the order: DenyUsers, AllowUsers, DenyGroups, AllowGroups + # First match wins, so be careful with precedence! + # + # Examples: + # allowusers: "user1 user2 admin@10.0.0.0/8" + # allowgroups: "wheel sysadmin" + # denyusers: "guest test" + # denygroups: "games" + # + # Uncomment and configure as needed for your environment: # allowusers: - # allowgroups: systems dba + # allowgroups: # denyusers: # denygroups: diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index a1837a9b..bc3a0b01 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -84,10 +84,14 @@ logchange 0.5 # This directive tells chrony to regulate the real-time clock and tells it # Where to store related data. It may not work on some newer motherboards # that use the HPET real-time clock. It requires enhanced real-time -# support in the kernel. I've commented it out because with certain -# combinations of motherboard and kernel it is reported to cause lockups. - -# rtcfile /var/lib/chrony/chrony.rtc +# support in the kernel. Disabled by default due to reported lockups with +# certain combinations of motherboard and kernel. + +{% if rhel9cis_chrony_server_rtcfile_enable %} +rtcfile {{ rhel9cis_chrony_server_rtcfile_path }} +{% else %} +# rtcfile {{ rhel9cis_chrony_server_rtcfile_path }} +{% endif %} # If the last line of this file reads 'rtconutc' chrony will assume that # the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index b0eb3d91..12610020 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -3,5 +3,9 @@ os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" -# disable repo_gpgcheck due to OS default repos + +# Repository GPG checking is disabled for AlmaLinux +# This is due to the OS default repositories not having proper GPG signatures configured +# CIS 1.2.4 requires repo_gpgcheck=1, but this conflicts with AlmaLinux default repos +# Set to true only if you have properly configured GPG keys for all repositories rhel9cis_rule_enable_repogpg: false diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index 64927cce..ad18282d 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -2,5 +2,9 @@ # OS Specific Settings os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec os_gpg_key_pubkey_content: "Oracle Linux (release key 1) " -# disable repo_gpgcheck due to OS default repos + +# Repository GPG checking is disabled for Oracle Linux +# This is due to the OS default repositories not having proper GPG signatures configured +# CIS 1.2.4 requires repo_gpgcheck=1, but this conflicts with Oracle Linux default repos +# Set to true only if you have properly configured GPG keys for all repositories rhel9cis_rule_enable_repogpg: false diff --git a/vars/RedHat.yml b/vars/RedHat.yml index c5833a4c..4ee9699c 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -4,5 +4,8 @@ os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) fd431d51" -# disable repo_gpgcheck due to OS default repos +# Repository GPG checking is disabled for Red Hat Enterprise Linux +# This is due to the OS default repositories not having proper GPG signatures configured +# CIS 1.2.4 requires repo_gpgcheck=1, but this conflicts with RHEL default repos +# Set to true only if you have properly configured GPG keys for all repositories rhel9cis_rule_enable_repogpg: false