### Example Control Tags in Ansible Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/README.md This example shows how tags are defined for a control. You can use these tags to include or exclude specific controls during an Ansible run. ```yaml tags: - level1-server - level1-workstation - scored - avahi - services - patch - rule_2.2.4 ``` -------------------------------- ### Custom SSH Configuration Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Apply custom SSH settings like port and allowed users during hardening. This example sets a non-standard SSH port and specifies allowed users. ```yaml --- - name: Hardening with custom SSH settings hosts: web_servers gather_facts: true pre_tasks: - name: Set custom SSH settings set_fact: deb12cis_ssh_port: 2222 deb12cis_ssh_allow_users: "deploy app-user" roles: - role: mindpointgroup.deb12_cis ``` -------------------------------- ### Container-Specific Configuration Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Apply hardening to Debian 12 containers, disabling host-specific controls and skipping reboots. This example disables specific rules and sets skip_reboot to true. ```yaml --- - name: Hardening Debian 12 container hosts: container_images gather_facts: true vars: # Disable host-specific controls deb12cis_rule_1_4_1: false # Skip grub config deb12cis_rule_2_4_1_1: false # Skip NFS removal deb12cis_skip_reboot: true change_requires_reboot: false roles: - role: mindpointgroup.deb12_cis ``` -------------------------------- ### Ansible Inventory Structure Example Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Defines groups of servers and their associated variables in an Ansible inventory file. This structure helps in organizing hosts and applying specific configurations to groups or individual hosts. ```ini # inventory/production [debian12_servers] web01.example.com web02.example.com db01.example.com [debian12_servers:vars] deb12cis_level_1=true deb12cis_level_2=false [secure_servers] auth.example.com vault.example.com [secure_servers:vars] deb12cis_level_1=true deb12cis_level_2=true deb12cis_disruption_high=true run_audit=true ``` -------------------------------- ### Custom Audit Configuration Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Configure audit settings for hardening, including enabling heavy tests and specifying output collection methods. This example enables audit, sets heavy tests, and configures fetch for results. ```yaml --- - name: Hardening with audit hosts: audited_servers gather_facts: true vars: run_audit: true setup_audit: true audit_run_heavy_tests: true audit_output_collection_method: fetch audit_output_destination: /var/audit_results/ fetch_audit_output: true roles: - role: mindpointgroup.deb12_cis post_tasks: - name: Check audit results debug: var: post_audit_summary ``` -------------------------------- ### Limit Ansible Playbook Scope with Tags Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Run specific sections or tasks of a playbook by using tags. This example runs only tasks tagged with 'level1-server'. ```bash # Run only essential services section ansible-playbook site.yml --tags "level1-server" -f 10 ``` -------------------------------- ### Auditd Exception Rule Example Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/templates-and-filters.md Example of an auditd exception rule to exclude specific UIDs from logging. This is useful for excluding service account activity. ```jinja -a always,exclude -F auid=1999 ``` -------------------------------- ### Check a Specific CIS Control Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/INDEX.md Verify the status of a specific CIS benchmark control by running the playbook with a tag corresponding to the control ID. For example, tag 'rule_3_4_1' checks control 3.4.1. ```bash ansible-playbook site.yml --tags "rule_3_4_1" ``` -------------------------------- ### Enable a CIS Benchmark Section Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/INDEX.md Set the corresponding variable to 'true' to enable a specific section of the CIS benchmark. For example, setting 'deb12cis_section5' to true enables SSH hardening controls. ```yaml vars: deb12cis_section5: true # Enable SSH hardening ``` -------------------------------- ### Enable Verbose Output for Ansible Playbook Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Increase the verbosity of Ansible output to debug issues. Use '-v', '-vv', or '-vvv' for progressively more detailed logs. This example targets 'ssh' related tasks. ```bash ansible-playbook site.yml -vvv --tags "ssh" ``` -------------------------------- ### Run update-grub Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/task-handlers.md Regenerates grub.cfg from grub configuration. Use when grub bootloader configuration is modified. ```bash update-grub ``` -------------------------------- ### Run Playbook with Category Tags Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/tasks-overview.md Execute tasks belonging to multiple specified categories, like 'ssh' and 'services'. ```bash ansible-playbook -i inventory site.yml --tags "ssh,services" ``` -------------------------------- ### Run Playbook with Level Tags Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/tasks-overview.md Execute tasks tagged for level 1 servers or level 2 workstations. ```bash ansible-playbook -i inventory site.yml --tags "level1-server" ansible-playbook -i inventory site.yml --tags "level2-workstation" ``` -------------------------------- ### Apply Hardening with Vault-Based Configuration Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Use this playbook to apply CIS hardening configurations defined in Vault. Ensure 'vault/cis_defaults.yml' is correctly populated. ```yaml --- - name: Hardening with vault-based configuration hosts: debian12_servers gather_facts: true vars_files: - vault/cis_defaults.yml roles: - role: mindpointgroup.deb12_cis ``` -------------------------------- ### Ansible Playbook with Pre-Configuration Validation and Hooks Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md This playbook includes pre-tasks to validate the system and back up SSH configuration before applying CIS hardening roles. Post-tasks verify critical services and display compliance facts. ```yaml --- - name: CIS hardening with validation hosts: debian12_servers gather_facts: true pre_tasks: - name: Verify system is supported assert: that: - ansible_distribution == 'Debian' - ansible_distribution_major_version == '12' fail_msg: "Only Debian 12 is supported" - name: Backup current SSH config copy: src: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config.backup.{{ ansible_date_time.iso8601_basic }} remote_src: true when: deb12cis_rule_5_2_1 roles: - role: mindpointgroup.deb12_cis post_tasks: - name: Verify critical services are running systemd: name: "{{ item }}" state: started loop: - sshd - rsyslog - auditd when: run_audit - name: Display compliance facts debug: var: ansible_local.compliance_facts when: create_benchmark_facts ``` -------------------------------- ### Run Playbook with Type Tags Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/tasks-overview.md Execute tasks categorized by type, such as 'patch' or 'audit'. ```bash ansible-playbook -i inventory site.yml --tags "patch" ansible-playbook -i inventory site.yml --tags "audit" ``` -------------------------------- ### Deploy Configuration from Template Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/templates-and-filters.md This snippet shows a standard Ansible task for deploying a configuration file from a Jinja2 template. It specifies source and destination paths, ownership, permissions, and enables backup. It also includes a notification to restart a service upon changes and a conditional execution based on a variable. ```yaml - name: "Deploy configuration from template" ansible.builtin.template: src: path/to/template.j2 dest: /destination/path owner: root group: root mode: 'u=rw,go=r' backup: true notify: "Handler to restart service" when: deb12cis_rule_X_X_X_X ``` -------------------------------- ### Configure Audit Settings Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/INDEX.md Configure audit settings by enabling the audit run, setting up audit, specifying the audit content source, and providing the audit configuration source URL. ```yaml vars: run_audit: true setup_audit: true audit_content: git audit_conf_source: https://github.com/ansible-lockdown/DEBIAN12-CIS-Audit.git ``` -------------------------------- ### Apply Compliance Config from External API Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md This playbook fetches compliance policies from an external API and applies them as variables. It requires a running policy API and a defined 'environment' variable. ```yaml --- - name: Apply compliance config from API hosts: debian12_servers gather_facts: true pre_tasks: - name: Fetch compliance policy uri: url: "https://policy-api.example.com/debian12-cis/{{ environment }}" method: GET return_content: yes register: compliance_policy - name: Apply policy variables set_fact: "{{ item.key }}": "{{ item.value }}" loop: "{{ compliance_policy.json | dict2items }}" roles: - role: mindpointgroup.deb12_cis ``` -------------------------------- ### Enable PAM Unix password module Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/task-handlers.md Enables or updates the PAM Unix password authentication module. Use when PAM Unix password module configuration is modified. ```bash pam-auth-update --enable {{ deb12cis_pam_pwunix_file }} ``` -------------------------------- ### Ansible Role Integration with Minimal Configuration Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Apply CIS hardening with custom settings for Level 1 and Level 2 controls, while disabling high disruption controls. This allows for a more tailored hardening approach. ```yaml --- - name: Apply CIS hardening with custom settings hosts: debian12_servers gather_facts: true vars: deb12cis_level_1: true deb12cis_level_2: false deb12cis_disruption_high: false roles: - role: mindpointgroup.deb12_cis ``` -------------------------------- ### Run Ansible Playbook with Tags Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/INDEX.md Execute Ansible playbooks using specific tags to target particular controls or groups of controls. Use tags like 'level1-server' or 'ssh' to filter the execution. ```bash ansible-playbook site.yml --tags "level1-server,ssh" ``` -------------------------------- ### Typical Ansible Task Pattern Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/tasks-overview.md Illustrates the standard structure for an Ansible task, including naming conventions, conditional execution, tagging, and the use of blocks for multi-step remediation. This pattern is useful for organizing complex controls. ```yaml - name: "X.X.X.X | PATCH | Description of what control does" when: deb12cis_rule_X_X_X_X tags: - level1-server # or level2-* - level1-workstation # or level2-* - patch # or audit - rule_X.X.X.X - NIST800-53R5_XX-Y - category_tag block: # Usually grouped for multi-step remediation - name: "X.X.X.X | PATCH | Step 1 description" # Module execution - name: "X.X.X.X | PATCH | Step 2 description" # Module execution notify: "Handler name if applicable" ``` -------------------------------- ### Capture and Display CIS Variable State Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md This playbook demonstrates how to capture and display the state of various CIS benchmark variables. Use the 'debug' module to inspect variable values during playbook execution. ```yaml --- - name: Debug CIS variables hosts: debian12_servers gather_facts: true pre_tasks: - name: Show CIS configuration debug: msg: | Level 1: {{ deb12cis_level_1 }} Level 2: {{ deb12cis_level_2 }} Sections: 1={{ deb12cis_section1 }} 2={{ deb12cis_section2 }} 3={{ deb12cis_section3 }} 4={{ deb12cis_section4 }} 5={{ deb12cis_section5 }} 6={{ deb12cis_section6 }} 7={{ deb12cis_section7 }} Disruption High: {{ deb12cis_disruption_high }} ``` -------------------------------- ### Basic Role Integration with Ansible Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Integrate the Debian 12 CIS hardening role into a simple site playbook. This applies all default CIS controls. ```yaml --- - name: Apply DEBIAN12-CIS hardening hosts: debian12_servers gather_facts: true roles: - role: mindpointgroup.deb12_cis ``` -------------------------------- ### Molecule Default Configuration for Debian 12 CIS Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md This Molecule configuration sets up a Docker environment to test the deb12_cis role on Debian 12. It specifies the platform image and enables specific CIS benchmark levels. ```yaml # molecule/default/molecule.yml --- driver: name: docker platforms: - name: debian12 image: debian:bookworm pre_build_image: true provisioner: name: ansible playbooks: converge: | --- - hosts: all gather_facts: true roles: - role: deb12_cis deb12cis_level_1: true deb12cis_level_2: true run_audit: false ``` -------------------------------- ### Ansible Phased Hardening Deployment Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md This set of Ansible playbooks implements a phased rollout for hardening Debian 12 servers according to CIS benchmarks. Each phase targets specific sections of the benchmark by enabling corresponding variables. ```yaml --- - name: Phase 1 - Basic hardening (Sections 1-3) hosts: debian12_servers gather_facts: true vars: deb12cis_section1: true deb12cis_section2: true deb12cis_section3: true deb12cis_section4: false deb12cis_section5: false deb12cis_section6: false deb12cis_section7: false roles: - role: mindpointgroup.deb12_cis tags: phase1 - name: Phase 2 - Access control hardening (Sections 4-5) hosts: debian12_servers gather_facts: true vars: deb12cis_section1: false deb12cis_section2: false deb12cis_section3: false deb12cis_section4: true deb12cis_section5: true deb12cis_section6: false deb12cis_section7: false roles: - role: mindpointgroup.deb12_cis tags: phase2 - name: Phase 3 - System hardening (Sections 6-7) hosts: debian12_servers gather_facts: true vars: deb12cis_section1: false deb12cis_section2: false deb12cis_section3: false deb12cis_section4: false deb12cis_section5: false deb12cis_section6: true deb12cis_section7: true roles: - role: mindpointgroup.deb12_cis tags: phase3 ``` -------------------------------- ### Enable PAM password history module Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/task-handlers.md Enables or updates the PAM password history module to prevent reuse. Use when PAM password history module configuration is modified. ```bash pam-auth-update --enable {{ deb12cis_pam_pwhistory_file }} ``` -------------------------------- ### Run Multiple Specific Categories Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Execute hardening controls from multiple categories simultaneously using Ansible tags. This command targets playbooks tagged with 'ssh', 'services', and 'firewall'. ```bash ansible-playbook site.yml --tags "ssh,services,firewall" ``` -------------------------------- ### Enable PAM password quality module Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/task-handlers.md Enables or updates the PAM password quality module for password strength enforcement. Use when PAM password quality module configuration is modified. ```bash pam-auth-update --enable {{ deb12cis_pam_pwquality_file }} ``` -------------------------------- ### Run Molecule Tests Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/README.md Execute local testing scenarios using Molecule for Ansible. Use 'test' for a full cycle, 'converge' with '--check' for a dry run, and 'verify' to validate the configuration. ```bash molecule test -s default molecule converge -s wsl -- --check Molecule verify -s localhost ``` -------------------------------- ### Enable PAM faillock module Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/task-handlers.md Enables or updates the PAM faillock (account lockout) module. Use when PAM account lockout module configuration is modified. ```bash pam-auth-update --enable {{ deb12cis_pam_faillock_file }} ``` -------------------------------- ### Ansible Playbook with Error Handling and Rollback Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md This playbook attempts to apply CIS hardening and includes a rescue block to capture errors, attempt SSH configuration restoration, restart SSH, and fail with context if issues occur. ```yaml --- - name: Safe CIS hardening with rollback hosts: servers gather_facts: true roles: - role: mindpointgroup.deb12_cis rescue: - name: Capture error details debug: var: ansible_failed_result - name: Attempt to restore SSH config if available copy: src: /etc/ssh/sshd_config.backup dest: /etc/ssh/sshd_config remote_src: true when: ansible_failed_result.filename | default('') == '/etc/ssh/sshd_config' - name: Restart SSH service systemd: name: sshd state: restarted when: ansible_failed_result.filename | default('') == '/etc/ssh/sshd_config' - name: Fail with context fail: msg: "CIS hardening failed. Error: {{ ansible_failed_result.msg }}" ``` -------------------------------- ### High-Security Workstation Hardening with Ansible Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Apply maximum hardening to secure workstations by enabling all CIS controls, including Level 1, Level 2, and high disruption controls. This ensures the highest security posture. ```yaml --- - name: Maximum hardening - All controls hosts: secure_workstations gather_facts: true vars: deb12cis_level_1: true deb12cis_level_2: true deb12cis_disruption_high: true roles: - role: mindpointgroup.deb12_cis ``` -------------------------------- ### Apply CIS Hardening with Specific Control Exceptions Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/README.md This snippet applies hardening while explicitly disabling specific controls. Use this to tailor the hardening process to your environment's needs. Ensure the 'mindpointgroup.deb12_cis' role is available and hosts are defined in your Ansible inventory. ```yaml --- - name: Apply CIS hardening with exceptions hosts: debian12_servers gather_facts: true roles: - role: mindpointgroup.deb12_cis vars: deb12cis_rule_5_2_11: false # Allow SSH root login deb12cis_rule_2_4_1_1: false # Don't remove NFS ``` -------------------------------- ### Ansible Audit Summary Output Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/README.md This snippet shows the typical output of an Ansible audit, including pre and post remediation results and a PLAY RECAP. It is useful for understanding the success and failure metrics of Ansible tasks. ```txt ok: [default] => { "msg": [ "The pre remediation results are: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5'].", "The post remediation results are: ['Total Duration: 5.007s', 'Count: 338, Failed: 46, Skipped: 5'].", "Full breakdown can be found in /var/tmp", "" ] } PLAY RECAP ******************************************************************************************************************************************* default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0 ``` -------------------------------- ### Ansible Playbook for Pre and Post Remediation Audit Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md This Ansible playbook performs pre and post-remediation audits using GOSS to validate system configurations against CIS benchmarks. It requires the 'mindpointgroup.deb12_cis' role and assumes the audit content is fetched from a Git repository. ```yaml --- - name: Compare pre/post remediation state hosts: audit_targets gather_facts: true vars: run_audit: true setup_audit: true audit_content: git audit_conf_source: https://github.com/ansible-lockdown/DEBIAN12-CIS-Audit.git fetch_audit_output: true audit_output_destination: /var/audit_results/ tasks: - name: Pre-remediation audit block: - name: Run pre-remediation audit shell: | cd /opt/DEBIAN12-CIS-Audit goss -d /opt/DEBIAN12-CIS-Audit/goss.yaml validate > /tmp/pre_audit.log register: pre_audit_result ignore_errors: true - name: Save pre-remediation results copy: content: "{{ pre_audit_result.stdout }}" dest: /var/audit_results/pre_remediation.txt when: setup_audit | bool roles: - role: mindpointgroup.deb12_cis post_tasks: - name: Post-remediation audit block: - name: Run post-remediation audit shell: | cd /opt/DEBIAN12-CIS-Audit goss -d /opt/DEBIAN12-CIS-Audit/goss.yaml validate > /tmp/post_audit.log register: post_audit_result ignore_errors: true - name: Save post-remediation results copy: content: "{{ post_audit_result.stdout }}" dest: /var/audit_results/post_remediation.txt - name: Compare audit results debug: msg: | Pre-remediation checks: {{ pre_audit_result.stdout_lines | length }} tests Post-remediation checks: {{ post_audit_result.stdout_lines | length }} tests when: run_audit | bool ``` -------------------------------- ### Save ip6tables IPv6 Rules Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/task-handlers.md Saves the current ip6tables IPv6 rules to a file, ensuring they persist across reboots. The handler succeeds if ip6tables-save returns 0 and fails otherwise. ```bash ip6tables-save > /etc/iptables/rules.v6 ``` -------------------------------- ### Apply CIS Hardening and Audit All Controls Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/README.md This snippet applies both Level 1 and Level 2 hardening controls and enables auditing. Ensure the 'mindpointgroup.deb12_cis' role is available and hosts are defined in your Ansible inventory. ```yaml --- - name: Apply CIS hardening and audit hosts: debian12_servers gather_facts: true roles: - role: mindpointgroup.deb12_cis vars: deb12cis_level_1: true deb12cis_level_2: true run_audit: true setup_audit: true ``` -------------------------------- ### Enable PAM faillock notification module Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/task-handlers.md Enables or updates the PAM faillock notification module for user feedback. Use when PAM faillock notification module configuration is modified. ```bash pam-auth-update --enable {{ deb12cis_pam_faillock_notify_file }} ``` -------------------------------- ### Run Only Level 1 Server Controls Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Execute only the Level 1 server hardening controls using Ansible tags. This command targets playbooks tagged with 'level1-server'. ```bash ansible-playbook site.yml --tags "level1-server" ``` -------------------------------- ### Reload sysctl Parameters Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/task-handlers.md Reloads all sysctl parameters from configuration files. Use this handler when kernel parameters in /etc/sysctl.conf or /etc/sysctl.d/ are modified to apply changes without a reboot. ```bash sysctl --system ``` -------------------------------- ### Debian 12 CIS Ansible Role File Structure Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/INDEX.md This snippet displays the directory and file organization of the Debian 12 CIS Ansible role. It references associated documentation for specific file types and their purposes. ```tree debian12-cis/ ├── defaults/main.yml (All variable defaults - see config-variables.md) ├── handlers/main.yml (All handlers - see task-handlers.md) ├── meta/main.yml (Role metadata - see role-overview.md) ├── tasks/ │ ├── main.yml (Entry point, 13-phase flow - see tasks-overview.md) │ ├── section_1/ (Initial Setup controls) │ ├── section_2/ (Services controls) │ ├── section_3/ (Network controls) │ ├── section_4/ (Logging controls) │ ├── section_5/ (Access Control controls) │ ├── section_6/ (Maintenance controls) │ ├── section_7/ (Hardening controls) │ ├── prelim.yml (Preliminary setup) │ ├── post.yml (Post-remediation) │ ├── auditd.yml (Auditd rules) │ └── ...audit tasks... ├── templates/ (20+ Jinja2 templates - see templates-and-filters.md) │ ├── etc/ssh/ (SSH config) │ ├── audit/ (Auditd rules) │ ├── etc/dconf/ (GNOME settings) │ └── ...more... └── vars/ ├── main.yml (Internal variables) ├── Debian.yml (OS-specific) ├── is_container.yml (Container overrides) └── audit.yml (Audit defaults) ``` -------------------------------- ### Run Ansible Playbook on Multiple Hosts in Parallel Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Execute playbooks across multiple hosts concurrently by specifying the number of parallel workers. Adjust '-f 10' based on your network and system capacity. ```bash # Run on multiple hosts in parallel ansible-playbook -i inventory site.yml -f 10 ``` -------------------------------- ### Run Only Patch Controls (Skip Audit-Only) Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Execute only the patch-related hardening controls, excluding audit-specific ones, using Ansible tags. This command targets playbooks tagged with 'patch'. ```bash ansible-playbook site.yml --tags "patch" ``` -------------------------------- ### Ansible Hardening with Skipped Problematic Controls Source: https://github.com/ansible-lockdown/debian12-cis/blob/devel/_autodocs/usage-examples.md Configure Ansible to skip specific CIS controls that may cause disruption or conflicts with existing applications on legacy servers. This allows for selective hardening. ```yaml --- - name: Hardening with exceptions hosts: legacy_servers gather_facts: true vars: # Disable controls that would break the application deb12cis_rule_2_4_1_1: false # Skip NFS removal deb12cis_rule_5_2_11: false # Allow SSH root login deb12cis_rule_3_4_1: false # Skip firewall for network appliance roles: - role: mindpointgroup.deb12_cis ```