Audit-Only Mode?

[mcascone]

Question Is there a way to run this in Audit-Only mode? There is some confusing information in the readme.

The doc first states to use the RHEL7-CIS-Audit role, but that's not actually a role, it's a script, which makes running it different/more difficult than pointing a role at an inventory set.

The docs also say check mode will work but isn't supported.

Later in the doc, there's an Auditing (new) section that states auditing can be turned on/off with a param. But it's not clear if this param runs only the audits, making no changes to the target system(s), or runs audits in addition to the remediation.

Additionally, the rhel7cis_run_audit parameter does not exist in the defaults/main.yml file. The closest match is run_audit. The comment on that param is enable audits to run - this runs the audit and get the latest content. Like mentioned above, it's not clear if this runs only the audit or also the audit.

For what it's worth, I have been testing running with an ansible extra var, -e "audit_only=true", and I think it's working?

Thanks in advance for any help!

[mcascone]

@uk-bolly Can you help me understand the options here? Thanks!

[uk-bolly]

hi @mcascone

You may have noticed we have been adding this function to other repositories, Will look to add tis rhel7-cis next.

kindest regards

uk-bolly

[uk-bolly]

hi @mcascone

We have cut a new release in the main branch and the devel is updated. This works through as expected.

https://github.com/ansible-lockdown/RHEL7-CIS/releases/tag/1.3.0

I will therefore close this issue, please feel free to feedback if you are still seeing problems.

many thanks

uk-bolly