keachi
commented
7 years ago @karras said: I had the following idea in mind: Create on role "security-hardening" and another one called "security-reporting" or similar. The first role would actually do the hardening configuration and the reporting would be responsible for scanning and checking if everything is compliant.
To save some work we could also just let the security-hardening role run in check-only mode.
The hardening role could consists of many different task file, each named after the CVE it fixes and then include the all through the main.yml file. In addition a comment or README would provide the necessary mapping or info for each CVE.
add a role security which contains tasks for CVE related stuff (e.g. blacklisting some kernel modules).