uk-bolly
commented
3 years ago Hi @jlosito
Thanks for highlighting this, i have added ability for 1.2.1 to look at CentOS and also 1.2.2 is now also outputting the findings. Both of these are classed as manual steps, these we cover by outputting any findings if needed so they can be checked against site specific documented settings that they would need to adhere to.
regards
uk-bolly
jlosito
I have a couple of CentOS 7 boxes in my garage I use this role against and notice that there's a couple of steps which get skipped but maybe should be executed. I believe the steps which get skipped, some are linked below, are compatible with both RHEL 7 and CentOS 7. The only steps I can think of off of the top of my head which would not be compatible are around the subscription manager.
https://github.com/ansible-lockdown/RHEL7-CIS/blob/devel/tasks/section_1/cis_1.2.x.yml#L7 https://github.com/ansible-lockdown/RHEL7-CIS/blob/devel/tasks/section_1/cis_1.2.x.yml#L19
I'm guessing these steps are skipped because the
ansible_distributionis technicallyCentOSand notRedHaton my machines.Step 1.2.2 should be compatible on a CentOS 7 box since all it's doing is running a
yum repolist. Step 1.2.1 on the other hand might be slightly different on a CentOS box. I believe these would be the equivalent keys that are being checked for a RHEL 7 machine.The comment linked below from another contributor states that the intention of this role is for it to be compatible with CentOS 7 as much as possible if I'm reading it correctly. If so, can we add something like
when: (ansible_distribution == "RedHat") or (ansible_distribution == "CentOS")to rule 1.2.2 for now?https://github.com/ansible-lockdown/RHEL7-CIS/issues/84#issuecomment-373838460