RHEL9-CIS/defaults/main.yml

---
# defaults file for rhel9-cis

rhel9cis_skip_for_travis: false
rhel9cis_system_is_container: false
# rhel9cis is left off the front of this var for consistency in testing pipeline
# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
system_is_ec2: false

rhel9cis_notauto: false
rhel9cis_section1: true
rhel9cis_section2: true
rhel9cis_section3: true
rhel9cis_section4: true
rhel9cis_section5: true
rhel9cis_section6: true

rhel9cis_level_1: true
rhel9cis_level_2: true

rhel9cis_selinux_disable: false
rhel9cis_legacy_boot: false

## Python Binary
## This is used for python3 Installations where python2 OS modules are used in ansible
python2_bin: /bin/python2.7

## Benchmark name used by audting control role
# The audit variable found at the base
benchmark: RHEL9-CIS

# Whether to skip the reboot
rhel9cis_skip_reboot: true

#### Basic external goss audit enablement settings ####
#### Precise details - per setting can be found at the bottom of this file ####

### Goss is required on the remote host
setup_audit: false
# How to retrive goss
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
get_goss_file: download

# how to get audit files onto host options
# options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly)
audit_content: git

# enable audits to run - this  runs the audit and get the latest content
run_audit: false

# Timeout for those cmds that take longer to run where timeout set
audit_cmd_timeout: 30000

### End Goss enablements ####
#### Detailed settings found at the end of this document ####

# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
# You must enable an entire section in order for the variables below to take effect.
# Section 1 rules
rhel9cis_rule_1_1_1_1: true
rhel9cis_rule_1_1_1_2: true
rhel9cis_rule_1_1_1_3: true
rhel9cis_rule_1_1_1_4: true
rhel9cis_rule_1_1_1_5: true
rhel9cis_rule_1_1_2: true
rhel9cis_rule_1_1_3: true
rhel9cis_rule_1_1_4: true
rhel9cis_rule_1_1_5: true
rhel9cis_rule_1_1_6: true
rhel9cis_rule_1_1_7: true
rhel9cis_rule_1_1_8: true
rhel9cis_rule_1_1_9: true
rhel9cis_rule_1_1_10: true
rhel9cis_rule_1_1_11: true
rhel9cis_rule_1_1_12: true
rhel9cis_rule_1_1_13: true
rhel9cis_rule_1_1_14: true
rhel9cis_rule_1_1_15: true
rhel9cis_rule_1_1_16: true
rhel9cis_rule_1_1_17: true
rhel9cis_rule_1_1_18: true
rhel9cis_rule_1_1_19: true
rhel9cis_rule_1_1_20: true
rhel9cis_rule_1_1_21: true
rhel9cis_rule_1_1_22: true
rhel9cis_rule_1_1_23: true
rhel9cis_rule_1_2_1: true
rhel9cis_rule_1_2_2: true
rhel9cis_rule_1_2_3: true
rhel9cis_rule_1_2_4: true
rhel9cis_rule_1_2_5: true
rhel9cis_rule_1_3_1: true
rhel9cis_rule_1_3_2: true
rhel9cis_rule_1_3_3: true
rhel9cis_rule_1_4_1: true
rhel9cis_rule_1_4_2: true
rhel9cis_rule_1_5_1: true
rhel9cis_rule_1_5_2: true
rhel9cis_rule_1_5_3: true
rhel9cis_rule_1_6_1: true
rhel9cis_rule_1_6_2: true
rhel9cis_rule_1_7_1_1: true
rhel9cis_rule_1_7_1_2: true
rhel9cis_rule_1_7_1_3: true
rhel9cis_rule_1_7_1_4: true
rhel9cis_rule_1_7_1_5: true
rhel9cis_rule_1_7_1_6: true
rhel9cis_rule_1_7_1_7: true
rhel9cis_rule_1_8_1_1: true
rhel9cis_rule_1_8_1_2: true
rhel9cis_rule_1_8_1_3: true
rhel9cis_rule_1_8_1_4: true
rhel9cis_rule_1_8_1_5: true
rhel9cis_rule_1_8_1_6: true
rhel9cis_rule_1_8_2: true
rhel9cis_rule_1_9: true
rhel9cis_rule_1_10: true
rhel9cis_rule_1_11: true

# Section 2 rules
rhel9cis_rule_2_1_1: true
rhel9cis_rule_2_1_2: true
rhel9cis_rule_2_1_3: true
rhel9cis_rule_2_1_4: true
rhel9cis_rule_2_1_5: true
rhel9cis_rule_2_1_6: true
rhel9cis_rule_2_1_7: true
rhel9cis_rule_2_2_1_1: true
rhel9cis_rule_2_2_1_2: true
rhel9cis_rule_2_2_1_3: true
rhel9cis_rule_2_2_2: true
rhel9cis_rule_2_2_3: true
rhel9cis_rule_2_2_4: true
rhel9cis_rule_2_2_5: true
rhel9cis_rule_2_2_6: true
rhel9cis_rule_2_2_7: true
rhel9cis_rule_2_2_8: true
rhel9cis_rule_2_2_9: true
rhel9cis_rule_2_2_10: true
rhel9cis_rule_2_2_11: true
rhel9cis_rule_2_2_12: true
rhel9cis_rule_2_2_13: true
rhel9cis_rule_2_2_14: true
rhel9cis_rule_2_2_15: true
rhel9cis_rule_2_2_16: true
rhel9cis_rule_2_2_17: true
rhel9cis_rule_2_2_18: true
rhel9cis_rule_2_3_1: true
rhel9cis_rule_2_3_2: true
rhel9cis_rule_2_3_3: true

# Section 3 rules
rhel9cis_rule_3_1_1: true
rhel9cis_rule_3_1_2: true
rhel9cis_rule_3_2_1: true
rhel9cis_rule_3_2_2: true
rhel9cis_rule_3_2_3: true
rhel9cis_rule_3_2_4: true
rhel9cis_rule_3_2_5: true
rhel9cis_rule_3_2_6: true
rhel9cis_rule_3_2_7: true
rhel9cis_rule_3_2_8: true
rhel9cis_rule_3_2_9: true
rhel9cis_rule_3_3_1: true
rhel9cis_rule_3_3_2: true
rhel9cis_rule_3_3_3: true
rhel9cis_rule_3_3_4: true
rhel9cis_rule_3_4_1_1: true
rhel9cis_rule_3_4_2_1: true
rhel9cis_rule_3_4_2_2: true
rhel9cis_rule_3_4_2_3: true
rhel9cis_rule_3_4_2_4: true
rhel9cis_rule_3_4_2_5: true
rhel9cis_rule_3_4_2_6: true
rhel9cis_rule_3_4_3_1: true
rhel9cis_rule_3_4_3_2: true
rhel9cis_rule_3_4_3_3: true
rhel9cis_rule_3_4_3_4: true
rhel9cis_rule_3_4_3_5: true
rhel9cis_rule_3_4_3_6: true
rhel9cis_rule_3_4_3_7: true
rhel9cis_rule_3_4_3_8: true
rhel9cis_rule_3_4_4_1_1: true
rhel9cis_rule_3_4_4_1_2: true
rhel9cis_rule_3_4_4_1_3: true
rhel9cis_rule_3_4_4_1_4: true
rhel9cis_rule_3_4_4_1_5: true
rhel9cis_rule_3_4_4_2_1: true
rhel9cis_rule_3_4_4_2_2: true
rhel9cis_rule_3_4_4_2_3: true
rhel9cis_rule_3_4_4_2_4: true
rhel9cis_rule_3_4_4_2_5: true
rhel9cis_rule_3_5: true
rhel9cis_rule_3_6: true

# Section 4 rules
rhel9cis_rule_4_1_1_1: true
rhel9cis_rule_4_1_1_2: true
rhel9cis_rule_4_1_1_3: true
rhel9cis_rule_4_1_1_4: true
rhel9cis_rule_4_1_2_1: true
rhel9cis_rule_4_1_2_2: true
rhel9cis_rule_4_1_2_3: true
rhel9cis_rule_4_1_3: true
rhel9cis_rule_4_1_4: true
rhel9cis_rule_4_1_5: true
rhel9cis_rule_4_1_6: true
rhel9cis_rule_4_1_7: true
rhel9cis_rule_4_1_8: true
rhel9cis_rule_4_1_9: true
rhel9cis_rule_4_1_10: true
rhel9cis_rule_4_1_11: true
rhel9cis_rule_4_1_12: true
rhel9cis_rule_4_1_13: true
rhel9cis_rule_4_1_14: true
rhel9cis_rule_4_1_15: true
rhel9cis_rule_4_1_16: true
rhel9cis_rule_4_1_17: true
rhel9cis_rule_4_2_1_1: true
rhel9cis_rule_4_2_1_2: true
rhel9cis_rule_4_2_1_3: true
rhel9cis_rule_4_2_1_4: true
rhel9cis_rule_4_2_1_5: true
rhel9cis_rule_4_2_1_6: true
rhel9cis_rule_4_2_2_1: true
rhel9cis_rule_4_2_2_2: true
rhel9cis_rule_4_2_2_3: true
rhel9cis_rule_4_2_3: true
rhel9cis_rule_4_3: true

# Section 5 rules
rhel9cis_rule_5_1_1: true
rhel9cis_rule_5_1_2: true
rhel9cis_rule_5_1_3: true
rhel9cis_rule_5_1_4: true
rhel9cis_rule_5_1_5: true
rhel9cis_rule_5_1_6: true
rhel9cis_rule_5_1_7: true
rhel9cis_rule_5_1_8: true
rhel9cis_rule_5_2_1: true
rhel9cis_rule_5_2_2: true
rhel9cis_rule_5_2_3: true
rhel9cis_rule_5_2_4: true
rhel9cis_rule_5_2_5: true
rhel9cis_rule_5_2_6: true
rhel9cis_rule_5_2_7: true
rhel9cis_rule_5_2_8: true
rhel9cis_rule_5_2_9: true
rhel9cis_rule_5_2_10: true
rhel9cis_rule_5_2_12: true
rhel9cis_rule_5_2_11: true
rhel9cis_rule_5_2_13: true
rhel9cis_rule_5_2_14: true
rhel9cis_rule_5_2_15: true
rhel9cis_rule_5_2_16: true
rhel9cis_rule_5_2_17: true
rhel9cis_rule_5_2_18: true
rhel9cis_rule_5_2_19: true
rhel9cis_rule_5_2_20: true
rhel9cis_rule_5_3_1: true
rhel9cis_rule_5_3_2: true
rhel9cis_rule_5_3_3: true
rhel9cis_rule_5_4_1: true
rhel9cis_rule_5_4_2: true
rhel9cis_rule_5_4_3: true
rhel9cis_rule_5_4_4: true
rhel9cis_rule_5_5_1_1: true
rhel9cis_rule_5_5_1_2: true
rhel9cis_rule_5_5_1_3: true
rhel9cis_rule_5_5_1_4: true
rhel9cis_rule_5_5_1_5: true
rhel9cis_rule_5_5_2: true
rhel9cis_rule_5_5_3: true
rhel9cis_rule_5_5_4: true
rhel9cis_rule_5_5_5: true
rhel9cis_rule_5_6: true
rhel9cis_rule_5_7: true

# Section 6 rules
rhel9cis_rule_6_1_1: true
rhel9cis_rule_6_1_2: true
rhel9cis_rule_6_1_3: true
rhel9cis_rule_6_1_4: true
rhel9cis_rule_6_1_5: true
rhel9cis_rule_6_1_6: true
rhel9cis_rule_6_1_7: true
rhel9cis_rule_6_1_8: true
rhel9cis_rule_6_1_9: true
rhel9cis_rule_6_1_10: true
rhel9cis_rule_6_1_11: true
rhel9cis_rule_6_1_12: true
rhel9cis_rule_6_1_13: true
rhel9cis_rule_6_1_14: true
rhel9cis_rule_6_2_1: true
rhel9cis_rule_6_2_2: true
rhel9cis_rule_6_2_3: true
rhel9cis_rule_6_2_4: true
rhel9cis_rule_6_2_5: true
rhel9cis_rule_6_2_6: true
rhel9cis_rule_6_2_7: true
rhel9cis_rule_6_2_8: false
rhel9cis_rule_6_2_9: true
rhel9cis_rule_6_2_10: true
rhel9cis_rule_6_2_11: true
rhel9cis_rule_6_2_12: true
rhel9cis_rule_6_2_13: true
rhel9cis_rule_6_2_14: true
rhel9cis_rule_6_2_15: true
rhel9cis_rule_6_2_16: true
rhel9cis_rule_6_2_17: true
rhel9cis_rule_6_2_18: true
rhel9cis_rule_6_2_19: true
rhel9cis_rule_6_2_20: true

# Service configuration booleans set true to keep service
rhel9cis_avahi_server: false
rhel9cis_cups_server: false
rhel9cis_dhcp_server: false
rhel9cis_ldap_server: false
rhel9cis_telnet_server: false
rhel9cis_nfs_server: false
rhel9cis_rpc_server: false
rhel9cis_ntalk_server: false
rhel9cis_rsyncd_server: false
rhel9cis_tftp_server: false
rhel9cis_rsh_server: false
rhel9cis_nis_server: false
rhel9cis_snmp_server: false
rhel9cis_squid_server: false
rhel9cis_smb_server: false
rhel9cis_dovecot_server: false
rhel9cis_httpd_server: false
rhel9cis_vsftpd_server: false
rhel9cis_named_server: false
rhel9cis_nfs_rpc_server: false
rhel9cis_is_mail_server: false
rhel9cis_bind: false
rhel9cis_vsftpd: false
rhel9cis_httpd: false
rhel9cis_dovecot: false
rhel9cis_samba: false
rhel9cis_squid: false
rhel9cis_net_snmp: false
rhel9cis_allow_autofs: false

## Section 1 vars

# 1.1.2
# These settings go into the /etc/fstab file for the /tmp mount settings
# The value must contain nosuid,nodev,noexec to conform to CIS standards
# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"
# If set true uses the tmp.mount service else using fstab configuration
rhel9cis_tmp_svc: false

# 1.2.1
# This is the login information for your RedHat Subscription
# DO NOT USE PLAIN TEXT PASSWORDS!!!!!
# The intent here is to use a password utility like Ansible Vault here
rhel9cis_rh_sub_user: user
rhel9cis_rh_sub_password: password

# 1.2.2
# Do you require rhnsd
# RedHat Satellite Subscription items
rhel9cis_rhnsd_required: false

# 1.3.3 var log location variable
rhel9cis_varlog_location: "/var/log/sudo.log"

# xinetd required
rhel9cis_xinetd_required: false

# 1.4.2 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel9cis_bootloader_password: random
rhel9cis_set_boot_pass: false

# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
# Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS.
rhel9cis_crypto_policy: "FUTURE"

# System network parameters (host only OR host and router)
rhel9cis_is_router: false

# IPv6 required
rhel9cis_ipv6_required: true

# AIDE
rhel9cis_config_aide: true
# AIDE cron settings
rhel9cis_aide_cron:
    cron_user: root
    cron_file: /etc/crontab
    aide_job: '/usr/sbin/aide --check'
    aide_minute: 0
    aide_hour: 5
    aide_day: '*'
    aide_month: '*'
    aide_weekday: '*'

# SELinux policy
rhel9cis_selinux_pol: targeted

# Whether or not to run tasks related to auditing/patching the desktop environment
rhel9cis_gui: no

# Set to 'true' if X Windows is needed in your environment
rhel9cis_xwindows_required: false

rhel9cis_openldap_clients_required: false
rhel9cis_telnet_required: false
rhel9cis_talk_required: false
rhel9cis_rsh_required: false
rhel9cis_ypbind_required: false

# 2.2.1.1 Time Synchronization - Either chrony or ntp
rhel9cis_time_synchronization: chrony

# 2.2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
rhel9cis_time_synchronization_servers:
    - 0.pool.ntp.org
    - 1.pool.ntp.org
    - 2.pool.ntp.org
    - 3.pool.ntp.org

rhel9cis_chrony_server_options: "minpoll 8"
rhel9cis_ntp_server_options: "iburst"

## Section3 vars
# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured
rhel9cis_host_allow:
    - "10.0.0.0/255.0.0.0"
    - "172.16.0.0/255.240.0.0"
    - "192.168.0.0/255.255.0.0"

# Firewall Service - either firewalld, iptables, or nftables
rhel9cis_firewall: firewalld

# 3.4.2.4 Default zone setting
rhel9cis_default_zone: public

# 3.4.2.5 Zone and Interface setting
rhel9cis_int_zone: customezone
rhel9cis_interface: eth0

rhel9cis_firewall_services:
    - ssh
    - dhcpv6-client

# 3.4.3.2 Set nftables new table create
rhel9cis_nft_tables_autonewtable: true
rhel9cis_nft_tables_tablename: filter

# 3.4.3.3 Set nftables new chain create
rhel9cis_nft_tables_autochaincreate: true

# Warning Banner Content (issue, issue.net, motd)
rhel9cis_warning_banner: |
    Authorized uses only. All activity may be monitored and reported.
# End Banner

## Section4 vars

rhel9cis_auditd:
    space_left_action: email
    action_mail_acct: root
    admin_space_left_action: halt
    max_log_file_action: keep_logs

rhel9cis_logrotate: "daily"

# The audit_back_log_limit value should never be below 8192
rhel9cis_audit_back_log_limit: 8192

# The max_log_file parameter should be based on your sites policy
rhel9cis_max_log_file_size: 10

# RHEL-09-4.2.1.4/4.2.1.5 remote and destation log server name
rhel9cis_remote_log_server: logagg.example.com

# RHEL-09-4.2.1.5
rhel9cis_system_is_log_server: false

## Section5 vars

rhel9cis_sshd:
    clientalivecountmax: 0
    clientaliveinterval: 900
    ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
    macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
    logingracetime: 60
    # WARNING: make sure you understand the precedence when working with these values!!
    # allowusers:
    # allowgroups: systems dba
    # denyusers:
    # denygroups:
rhel9cis_pam_faillock:
    attempts: 5
    interval: 900
    unlock_time: 900
    fail_for_root: no
    remember: 5
    pwhash: sha512

# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE
rhel9cis_ssh_loglevel: INFO

# 5.2.19 SSH MaxSessions setting. Must be 4 our less
rhel9cis_ssh_maxsessions: 4
rhel9cis_inactivelock:
    lock_days: 30

# 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example
# Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk
rhel9cis_use_authconfig: false
rhel9cis_authselect:
    custom_profile_name: custom-profile
    default_file_to_copy: "sssd --symlink-meta"
    options: with-sudo with-faillock without-nullok

# 5.3.1 Enable automation to create custom profile settings, using the settings above
rhel9cis_authselect_custom_profile_create: false

# 5.3.2 Enable automation to select custom profile options, using the settings above
rhel9cis_authselect_custom_profile_select: false

rhel9cis_pass:
    max_days: 365
    min_days: 7
    warn_age: 7
# Syslog system - either rsyslog or syslog-ng
rhel9cis_syslog: rsyslog
rhel9cis_rsyslog_ansiblemanaged: true

rhel9cis_vartmp:
    source: /tmp
    fstype: none
    opts: "defaults,nodev,nosuid,noexec,bind"
    enabled: no
## PAM
rhel9cis_pam_password:
    minlen: "14"
    minclass: "4"

# Starting GID for interactive users
rhel9cis_int_gid: 1000

# RHEL-09-5.4.5
# Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 10 = 600)
rhel9cis_shell_session_timeout:
    file: /etc/profile.d/tmout.sh
    timeout: 600
# RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
rhel9cis_futurepwchgdate_autofix: true

# 5.7
# rhel9cis_sugroup: sugroup  # change accordingly wheel is default

# wheel users list
rhel9cis_sugroup_users: "root"

## Section6 vars

# RHEL-09_6.1.1
rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check

# RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable
rhel9cis_no_world_write_adjust: true
rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
# 6.2.9
rhel9cis_dotperm_ansiblemanaged: true
#### Goss Configuration Settings ####

### Goss binary settings ###
goss_version:
    release: v0.3.16
    checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json

# if get_goss_file == download change accordingly
goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"

## if get_goss_file - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
copy_goss_from_path: /some/accessible/path

### Goss Audit Benchmark file ###
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: main

# copy:
audit_local_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

# Where the goss audit configuration will be stored
audit_files: "/var/tmp/{{ benchmark }}-Audit/"

## Goss configuration information
# Where the goss configs and outputs are stored
audit_out_dir: '/var/tmp'
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"

## The following should not need changing
goss_file: "{{ audit_conf_dir }}goss.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
audit_results: |
      The pre remediation results are: {{ pre_audit_summary }}.
      The post remediation results are: {{ post_audit_summary }}.
      Full breakdown can be found in {{ audit_out_dir }}
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`---`
			`# defaults file for rhel9-cis`

			`rhel9cis_skip_for_travis: false`
			`rhel9cis_system_is_container: false`
			`# rhel9cis is left off the front of this var for consistency in testing pipeline`
			`# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks`
			`system_is_ec2: false`

			`rhel9cis_notauto: false`
			`rhel9cis_section1: true`
			`rhel9cis_section2: true`
			`rhel9cis_section3: true`
			`rhel9cis_section4: true`
			`rhel9cis_section5: true`
			`rhel9cis_section6: true`

			`rhel9cis_level_1: true`
			`rhel9cis_level_2: true`

			`rhel9cis_selinux_disable: false`
			`rhel9cis_legacy_boot: false`

			`## Python Binary`
			`## This is used for python3 Installations where python2 OS modules are used in ansible`
			`python2_bin: /bin/python2.7`

			`## Benchmark name used by audting control role`
			`# The audit variable found at the base`
			`benchmark: RHEL9-CIS`

			`# Whether to skip the reboot`
			`rhel9cis_skip_reboot: true`

			`#### Basic external goss audit enablement settings ####`
			`#### Precise details - per setting can be found at the bottom of this file ####`

			`### Goss is required on the remote host`
			`setup_audit: false`
			`# How to retrive goss`
			`# Options are copy or download - detailed settings at the bottom of this file`
			`# you will need to access to either github or the file already dowmloaded`
			`get_goss_file: download`

			`# how to get audit files onto host options`
			`# options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly)`
			`audit_content: git`

			`# enable audits to run - this runs the audit and get the latest content`
			`run_audit: false`

			`# Timeout for those cmds that take longer to run where timeout set`
			`audit_cmd_timeout: 30000`

			`### End Goss enablements ####`
			`#### Detailed settings found at the end of this document ####`

			`# These variables correspond with the CIS rule IDs or paragraph numbers defined in`
			`# the CIS benchmark documents.`
			`# PLEASE NOTE: These work in coordination with the section # group variables and tags.`
			`# You must enable an entire section in order for the variables below to take effect.`
			`# Section 1 rules`
			`rhel9cis_rule_1_1_1_1: true`
			`rhel9cis_rule_1_1_1_2: true`
			`rhel9cis_rule_1_1_1_3: true`
			`rhel9cis_rule_1_1_1_4: true`
			`rhel9cis_rule_1_1_1_5: true`
			`rhel9cis_rule_1_1_2: true`
			`rhel9cis_rule_1_1_3: true`
			`rhel9cis_rule_1_1_4: true`
			`rhel9cis_rule_1_1_5: true`
			`rhel9cis_rule_1_1_6: true`
			`rhel9cis_rule_1_1_7: true`
			`rhel9cis_rule_1_1_8: true`
			`rhel9cis_rule_1_1_9: true`
			`rhel9cis_rule_1_1_10: true`
			`rhel9cis_rule_1_1_11: true`
			`rhel9cis_rule_1_1_12: true`
			`rhel9cis_rule_1_1_13: true`
			`rhel9cis_rule_1_1_14: true`
			`rhel9cis_rule_1_1_15: true`
			`rhel9cis_rule_1_1_16: true`
			`rhel9cis_rule_1_1_17: true`
			`rhel9cis_rule_1_1_18: true`
			`rhel9cis_rule_1_1_19: true`
			`rhel9cis_rule_1_1_20: true`
			`rhel9cis_rule_1_1_21: true`
			`rhel9cis_rule_1_1_22: true`
			`rhel9cis_rule_1_1_23: true`
			`rhel9cis_rule_1_2_1: true`
			`rhel9cis_rule_1_2_2: true`
			`rhel9cis_rule_1_2_3: true`
			`rhel9cis_rule_1_2_4: true`
			`rhel9cis_rule_1_2_5: true`
			`rhel9cis_rule_1_3_1: true`
			`rhel9cis_rule_1_3_2: true`
			`rhel9cis_rule_1_3_3: true`
			`rhel9cis_rule_1_4_1: true`
			`rhel9cis_rule_1_4_2: true`
			`rhel9cis_rule_1_5_1: true`
			`rhel9cis_rule_1_5_2: true`
			`rhel9cis_rule_1_5_3: true`
			`rhel9cis_rule_1_6_1: true`
			`rhel9cis_rule_1_6_2: true`
			`rhel9cis_rule_1_7_1_1: true`
			`rhel9cis_rule_1_7_1_2: true`
			`rhel9cis_rule_1_7_1_3: true`
			`rhel9cis_rule_1_7_1_4: true`
			`rhel9cis_rule_1_7_1_5: true`
			`rhel9cis_rule_1_7_1_6: true`
			`rhel9cis_rule_1_7_1_7: true`
			`rhel9cis_rule_1_8_1_1: true`
			`rhel9cis_rule_1_8_1_2: true`
			`rhel9cis_rule_1_8_1_3: true`
			`rhel9cis_rule_1_8_1_4: true`
			`rhel9cis_rule_1_8_1_5: true`
			`rhel9cis_rule_1_8_1_6: true`
			`rhel9cis_rule_1_8_2: true`
			`rhel9cis_rule_1_9: true`
			`rhel9cis_rule_1_10: true`
			`rhel9cis_rule_1_11: true`

			`# Section 2 rules`
			`rhel9cis_rule_2_1_1: true`
			`rhel9cis_rule_2_1_2: true`
			`rhel9cis_rule_2_1_3: true`
			`rhel9cis_rule_2_1_4: true`
			`rhel9cis_rule_2_1_5: true`
			`rhel9cis_rule_2_1_6: true`
			`rhel9cis_rule_2_1_7: true`
			`rhel9cis_rule_2_2_1_1: true`
			`rhel9cis_rule_2_2_1_2: true`
			`rhel9cis_rule_2_2_1_3: true`
			`rhel9cis_rule_2_2_2: true`
			`rhel9cis_rule_2_2_3: true`
			`rhel9cis_rule_2_2_4: true`
			`rhel9cis_rule_2_2_5: true`
			`rhel9cis_rule_2_2_6: true`
			`rhel9cis_rule_2_2_7: true`
			`rhel9cis_rule_2_2_8: true`
			`rhel9cis_rule_2_2_9: true`
			`rhel9cis_rule_2_2_10: true`
			`rhel9cis_rule_2_2_11: true`
			`rhel9cis_rule_2_2_12: true`
			`rhel9cis_rule_2_2_13: true`
			`rhel9cis_rule_2_2_14: true`
			`rhel9cis_rule_2_2_15: true`
			`rhel9cis_rule_2_2_16: true`
			`rhel9cis_rule_2_2_17: true`
			`rhel9cis_rule_2_2_18: true`
			`rhel9cis_rule_2_3_1: true`
			`rhel9cis_rule_2_3_2: true`
			`rhel9cis_rule_2_3_3: true`

			`# Section 3 rules`
			`rhel9cis_rule_3_1_1: true`
			`rhel9cis_rule_3_1_2: true`
			`rhel9cis_rule_3_2_1: true`
			`rhel9cis_rule_3_2_2: true`
			`rhel9cis_rule_3_2_3: true`
			`rhel9cis_rule_3_2_4: true`
			`rhel9cis_rule_3_2_5: true`
			`rhel9cis_rule_3_2_6: true`
			`rhel9cis_rule_3_2_7: true`
			`rhel9cis_rule_3_2_8: true`
			`rhel9cis_rule_3_2_9: true`
			`rhel9cis_rule_3_3_1: true`
			`rhel9cis_rule_3_3_2: true`
			`rhel9cis_rule_3_3_3: true`
			`rhel9cis_rule_3_3_4: true`
			`rhel9cis_rule_3_4_1_1: true`
			`rhel9cis_rule_3_4_2_1: true`
			`rhel9cis_rule_3_4_2_2: true`
			`rhel9cis_rule_3_4_2_3: true`
			`rhel9cis_rule_3_4_2_4: true`
			`rhel9cis_rule_3_4_2_5: true`
			`rhel9cis_rule_3_4_2_6: true`
			`rhel9cis_rule_3_4_3_1: true`
			`rhel9cis_rule_3_4_3_2: true`
			`rhel9cis_rule_3_4_3_3: true`
			`rhel9cis_rule_3_4_3_4: true`
			`rhel9cis_rule_3_4_3_5: true`
			`rhel9cis_rule_3_4_3_6: true`
			`rhel9cis_rule_3_4_3_7: true`
			`rhel9cis_rule_3_4_3_8: true`
			`rhel9cis_rule_3_4_4_1_1: true`
			`rhel9cis_rule_3_4_4_1_2: true`
			`rhel9cis_rule_3_4_4_1_3: true`
			`rhel9cis_rule_3_4_4_1_4: true`
			`rhel9cis_rule_3_4_4_1_5: true`
			`rhel9cis_rule_3_4_4_2_1: true`
			`rhel9cis_rule_3_4_4_2_2: true`
			`rhel9cis_rule_3_4_4_2_3: true`
			`rhel9cis_rule_3_4_4_2_4: true`
			`rhel9cis_rule_3_4_4_2_5: true`
			`rhel9cis_rule_3_5: true`
			`rhel9cis_rule_3_6: true`

			`# Section 4 rules`
			`rhel9cis_rule_4_1_1_1: true`
			`rhel9cis_rule_4_1_1_2: true`
			`rhel9cis_rule_4_1_1_3: true`
			`rhel9cis_rule_4_1_1_4: true`
			`rhel9cis_rule_4_1_2_1: true`
			`rhel9cis_rule_4_1_2_2: true`
			`rhel9cis_rule_4_1_2_3: true`
			`rhel9cis_rule_4_1_3: true`
			`rhel9cis_rule_4_1_4: true`
			`rhel9cis_rule_4_1_5: true`
			`rhel9cis_rule_4_1_6: true`
			`rhel9cis_rule_4_1_7: true`
			`rhel9cis_rule_4_1_8: true`
			`rhel9cis_rule_4_1_9: true`
			`rhel9cis_rule_4_1_10: true`
			`rhel9cis_rule_4_1_11: true`
			`rhel9cis_rule_4_1_12: true`
			`rhel9cis_rule_4_1_13: true`
			`rhel9cis_rule_4_1_14: true`
			`rhel9cis_rule_4_1_15: true`
			`rhel9cis_rule_4_1_16: true`
			`rhel9cis_rule_4_1_17: true`
			`rhel9cis_rule_4_2_1_1: true`
			`rhel9cis_rule_4_2_1_2: true`
			`rhel9cis_rule_4_2_1_3: true`
			`rhel9cis_rule_4_2_1_4: true`
			`rhel9cis_rule_4_2_1_5: true`
			`rhel9cis_rule_4_2_1_6: true`
			`rhel9cis_rule_4_2_2_1: true`
			`rhel9cis_rule_4_2_2_2: true`
			`rhel9cis_rule_4_2_2_3: true`
			`rhel9cis_rule_4_2_3: true`
			`rhel9cis_rule_4_3: true`

			`# Section 5 rules`
			`rhel9cis_rule_5_1_1: true`
			`rhel9cis_rule_5_1_2: true`
			`rhel9cis_rule_5_1_3: true`
			`rhel9cis_rule_5_1_4: true`
			`rhel9cis_rule_5_1_5: true`
			`rhel9cis_rule_5_1_6: true`
			`rhel9cis_rule_5_1_7: true`
			`rhel9cis_rule_5_1_8: true`
			`rhel9cis_rule_5_2_1: true`
			`rhel9cis_rule_5_2_2: true`
			`rhel9cis_rule_5_2_3: true`
			`rhel9cis_rule_5_2_4: true`
			`rhel9cis_rule_5_2_5: true`
			`rhel9cis_rule_5_2_6: true`
			`rhel9cis_rule_5_2_7: true`
			`rhel9cis_rule_5_2_8: true`
			`rhel9cis_rule_5_2_9: true`
			`rhel9cis_rule_5_2_10: true`
			`rhel9cis_rule_5_2_12: true`
			`rhel9cis_rule_5_2_11: true`
			`rhel9cis_rule_5_2_13: true`
			`rhel9cis_rule_5_2_14: true`
			`rhel9cis_rule_5_2_15: true`
			`rhel9cis_rule_5_2_16: true`
			`rhel9cis_rule_5_2_17: true`
			`rhel9cis_rule_5_2_18: true`
			`rhel9cis_rule_5_2_19: true`
			`rhel9cis_rule_5_2_20: true`
			`rhel9cis_rule_5_3_1: true`
			`rhel9cis_rule_5_3_2: true`
			`rhel9cis_rule_5_3_3: true`
			`rhel9cis_rule_5_4_1: true`
			`rhel9cis_rule_5_4_2: true`
			`rhel9cis_rule_5_4_3: true`
			`rhel9cis_rule_5_4_4: true`
			`rhel9cis_rule_5_5_1_1: true`
			`rhel9cis_rule_5_5_1_2: true`
			`rhel9cis_rule_5_5_1_3: true`
			`rhel9cis_rule_5_5_1_4: true`
			`rhel9cis_rule_5_5_1_5: true`
			`rhel9cis_rule_5_5_2: true`
			`rhel9cis_rule_5_5_3: true`
			`rhel9cis_rule_5_5_4: true`
			`rhel9cis_rule_5_5_5: true`
			`rhel9cis_rule_5_6: true`
			`rhel9cis_rule_5_7: true`

			`# Section 6 rules`
			`rhel9cis_rule_6_1_1: true`
			`rhel9cis_rule_6_1_2: true`
			`rhel9cis_rule_6_1_3: true`
			`rhel9cis_rule_6_1_4: true`
			`rhel9cis_rule_6_1_5: true`
			`rhel9cis_rule_6_1_6: true`
			`rhel9cis_rule_6_1_7: true`
			`rhel9cis_rule_6_1_8: true`
			`rhel9cis_rule_6_1_9: true`
			`rhel9cis_rule_6_1_10: true`
			`rhel9cis_rule_6_1_11: true`
			`rhel9cis_rule_6_1_12: true`
			`rhel9cis_rule_6_1_13: true`
			`rhel9cis_rule_6_1_14: true`
			`rhel9cis_rule_6_2_1: true`
			`rhel9cis_rule_6_2_2: true`
			`rhel9cis_rule_6_2_3: true`
			`rhel9cis_rule_6_2_4: true`
			`rhel9cis_rule_6_2_5: true`
			`rhel9cis_rule_6_2_6: true`
			`rhel9cis_rule_6_2_7: true`
			`rhel9cis_rule_6_2_8: false`
			`rhel9cis_rule_6_2_9: true`
			`rhel9cis_rule_6_2_10: true`
			`rhel9cis_rule_6_2_11: true`
			`rhel9cis_rule_6_2_12: true`
			`rhel9cis_rule_6_2_13: true`
			`rhel9cis_rule_6_2_14: true`
			`rhel9cis_rule_6_2_15: true`
			`rhel9cis_rule_6_2_16: true`
			`rhel9cis_rule_6_2_17: true`
			`rhel9cis_rule_6_2_18: true`
			`rhel9cis_rule_6_2_19: true`
			`rhel9cis_rule_6_2_20: true`

			`# Service configuration booleans set true to keep service`
			`rhel9cis_avahi_server: false`
			`rhel9cis_cups_server: false`
			`rhel9cis_dhcp_server: false`
			`rhel9cis_ldap_server: false`
			`rhel9cis_telnet_server: false`
			`rhel9cis_nfs_server: false`
			`rhel9cis_rpc_server: false`
			`rhel9cis_ntalk_server: false`
			`rhel9cis_rsyncd_server: false`
			`rhel9cis_tftp_server: false`
			`rhel9cis_rsh_server: false`
			`rhel9cis_nis_server: false`
			`rhel9cis_snmp_server: false`
			`rhel9cis_squid_server: false`
			`rhel9cis_smb_server: false`
			`rhel9cis_dovecot_server: false`
			`rhel9cis_httpd_server: false`
			`rhel9cis_vsftpd_server: false`
			`rhel9cis_named_server: false`
			`rhel9cis_nfs_rpc_server: false`
			`rhel9cis_is_mail_server: false`
			`rhel9cis_bind: false`
			`rhel9cis_vsftpd: false`
			`rhel9cis_httpd: false`
			`rhel9cis_dovecot: false`
			`rhel9cis_samba: false`
			`rhel9cis_squid: false`
			`rhel9cis_net_snmp: false`
			`rhel9cis_allow_autofs: false`

			`## Section 1 vars`

			`# 1.1.2`
			`# These settings go into the /etc/fstab file for the /tmp mount settings`
			`# The value must contain nosuid,nodev,noexec to conform to CIS standards`
			`# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"`
			`# If set true uses the tmp.mount service else using fstab configuration`
			`rhel9cis_tmp_svc: false`

			`# 1.2.1`
			`# This is the login information for your RedHat Subscription`
			`# DO NOT USE PLAIN TEXT PASSWORDS!!!!!`
			`# The intent here is to use a password utility like Ansible Vault here`
			`rhel9cis_rh_sub_user: user`
			`rhel9cis_rh_sub_password: password`

			`# 1.2.2`
			`# Do you require rhnsd`
			`# RedHat Satellite Subscription items`
			`rhel9cis_rhnsd_required: false`

			`# 1.3.3 var log location variable`
			`rhel9cis_varlog_location: "/var/log/sudo.log"`

			`# xinetd required`
			`rhel9cis_xinetd_required: false`

			`# 1.4.2 Bootloader password`
			`rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'`
			`rhel9cis_bootloader_password: random`
			`rhel9cis_set_boot_pass: false`

			`# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)`
			`# Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS.`
			`rhel9cis_crypto_policy: "FUTURE"`

			`# System network parameters (host only OR host and router)`
			`rhel9cis_is_router: false`

			`# IPv6 required`
			`rhel9cis_ipv6_required: true`

			`# AIDE`
			`rhel9cis_config_aide: true`
			`# AIDE cron settings`
			`rhel9cis_aide_cron:`
			`cron_user: root`
			`cron_file: /etc/crontab`
			`aide_job: '/usr/sbin/aide --check'`
			`aide_minute: 0`
			`aide_hour: 5`
			`aide_day: '*'`
			`aide_month: '*'`
			`aide_weekday: '*'`

			`# SELinux policy`
			`rhel9cis_selinux_pol: targeted`

			`# Whether or not to run tasks related to auditing/patching the desktop environment`
			`rhel9cis_gui: no`

			`# Set to 'true' if X Windows is needed in your environment`
			`rhel9cis_xwindows_required: false`

			`rhel9cis_openldap_clients_required: false`
			`rhel9cis_telnet_required: false`
			`rhel9cis_talk_required: false`
			`rhel9cis_rsh_required: false`
			`rhel9cis_ypbind_required: false`

			`# 2.2.1.1 Time Synchronization - Either chrony or ntp`
			`rhel9cis_time_synchronization: chrony`

			`# 2.2.1.2 Time Synchronization servers - used in template file chrony.conf.j2`
			`rhel9cis_time_synchronization_servers:`
			`- 0.pool.ntp.org`
			`- 1.pool.ntp.org`
			`- 2.pool.ntp.org`
			`- 3.pool.ntp.org`

			`rhel9cis_chrony_server_options: "minpoll 8"`
			`rhel9cis_ntp_server_options: "iburst"`

			`## Section3 vars`
			`# 3.4.2 \| PATCH \| Ensure /etc/hosts.allow is configured`
			`rhel9cis_host_allow:`
			`- "10.0.0.0/255.0.0.0"`
			`- "172.16.0.0/255.240.0.0"`
			`- "192.168.0.0/255.255.0.0"`

			`# Firewall Service - either firewalld, iptables, or nftables`
			`rhel9cis_firewall: firewalld`

			`# 3.4.2.4 Default zone setting`
			`rhel9cis_default_zone: public`

			`# 3.4.2.5 Zone and Interface setting`
			`rhel9cis_int_zone: customezone`
			`rhel9cis_interface: eth0`

			`rhel9cis_firewall_services:`
			`- ssh`
			`- dhcpv6-client`

			`# 3.4.3.2 Set nftables new table create`
			`rhel9cis_nft_tables_autonewtable: true`
			`rhel9cis_nft_tables_tablename: filter`

			`# 3.4.3.3 Set nftables new chain create`
			`rhel9cis_nft_tables_autochaincreate: true`

			`# Warning Banner Content (issue, issue.net, motd)`
			`rhel9cis_warning_banner: \|`
			`Authorized uses only. All activity may be monitored and reported.`
			`# End Banner`

			`## Section4 vars`

			`rhel9cis_auditd:`
			`space_left_action: email`
			`action_mail_acct: root`
			`admin_space_left_action: halt`
			`max_log_file_action: keep_logs`

			`rhel9cis_logrotate: "daily"`

			`# The audit_back_log_limit value should never be below 8192`
			`rhel9cis_audit_back_log_limit: 8192`

			`# The max_log_file parameter should be based on your sites policy`
			`rhel9cis_max_log_file_size: 10`

			`# RHEL-09-4.2.1.4/4.2.1.5 remote and destation log server name`
			`rhel9cis_remote_log_server: logagg.example.com`

			`# RHEL-09-4.2.1.5`
			`rhel9cis_system_is_log_server: false`

			`## Section5 vars`

			`rhel9cis_sshd:`
			`clientalivecountmax: 0`
			`clientaliveinterval: 900`
			`ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"`
			`macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"`
			`logingracetime: 60`
			`# WARNING: make sure you understand the precedence when working with these values!!`
			`# allowusers:`
			`# allowgroups: systems dba`
			`# denyusers:`
			`# denygroups:`
			`rhel9cis_pam_faillock:`
			`attempts: 5`
			`interval: 900`
			`unlock_time: 900`
			`fail_for_root: no`
			`remember: 5`
			`pwhash: sha512`

			`# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE`
			`rhel9cis_ssh_loglevel: INFO`

			`# 5.2.19 SSH MaxSessions setting. Must be 4 our less`
			`rhel9cis_ssh_maxsessions: 4`
			`rhel9cis_inactivelock:`
			`lock_days: 30`

			`# 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example`
			`# Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk`
			`rhel9cis_use_authconfig: false`
			`rhel9cis_authselect:`
			`custom_profile_name: custom-profile`
			`default_file_to_copy: "sssd --symlink-meta"`
			`options: with-sudo with-faillock without-nullok`

			`# 5.3.1 Enable automation to create custom profile settings, using the settings above`
			`rhel9cis_authselect_custom_profile_create: false`

			`# 5.3.2 Enable automation to select custom profile options, using the settings above`
			`rhel9cis_authselect_custom_profile_select: false`

			`rhel9cis_pass:`
			`max_days: 365`
			`min_days: 7`
			`warn_age: 7`
			`# Syslog system - either rsyslog or syslog-ng`
			`rhel9cis_syslog: rsyslog`
			`rhel9cis_rsyslog_ansiblemanaged: true`

			`rhel9cis_vartmp:`
			`source: /tmp`
			`fstype: none`
			`opts: "defaults,nodev,nosuid,noexec,bind"`
			`enabled: no`
			`## PAM`
			`rhel9cis_pam_password:`
			`minlen: "14"`
			`minclass: "4"`

			`# Starting GID for interactive users`
			`rhel9cis_int_gid: 1000`

			`# RHEL-09-5.4.5`
			`# Session timeout setting file (TMOUT setting can be set in multiple files)`
			`# Timeout value is in seconds. (60 seconds * 10 = 600)`
			`rhel9cis_shell_session_timeout:`
			`file: /etc/profile.d/tmout.sh`
			`timeout: 600`
			`# RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords`
			`rhel9cis_futurepwchgdate_autofix: true`

			`# 5.7`
			`# rhel9cis_sugroup: sugroup # change accordingly wheel is default`

			`# wheel users list`
			`rhel9cis_sugroup_users: "root"`

			`## Section6 vars`

			`# RHEL-09_6.1.1`
			`rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check`

			`# RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable`
			`rhel9cis_no_world_write_adjust: true`
			`rhel9cis_passwd_label: "{{ (this_item \| default(item)).id }}: {{ (this_item \| default(item)).dir }}"`
			`# 6.2.9`
			`rhel9cis_dotperm_ansiblemanaged: true`
			`#### Goss Configuration Settings ####`

			`### Goss binary settings ###`
			`goss_version:`
			`release: v0.3.16`
			`checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'`
			`audit_bin_path: /usr/local/bin/`
			`audit_bin: "{{ audit_bin_path }}goss"`
			`audit_format: json`

			`# if get_goss_file == download change accordingly`
			`goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"`

			`## if get_goss_file - copy the following needs to be updated for your environment`
			`## it is expected that it will be copied from somewhere accessible to the control node`
			`## e.g copy from ansible control node to remote host`
			`copy_goss_from_path: /some/accessible/path`

			`### Goss Audit Benchmark file ###`
			`## managed by the control audit_content`
			`# git`
			`audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"`
			`audit_git_version: main`

			`# copy:`
			`audit_local_copy: "some path to copy from"`

			`# get_url:`
			`audit_files_url: "some url maybe s3?"`

			`# Where the goss audit configuration will be stored`
			`audit_files: "/var/tmp/{{ benchmark }}-Audit/"`

			`## Goss configuration information`
			`# Where the goss configs and outputs are stored`
			`audit_out_dir: '/var/tmp'`
			`audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"`
			`pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"`
			`post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"`

			`## The following should not need changing`
			`goss_file: "{{ audit_conf_dir }}goss.yml"`
			`audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"`
			`audit_results: \|`
			`The pre remediation results are: {{ pre_audit_summary }}.`
			`The post remediation results are: {{ post_audit_summary }}.`
			`Full breakdown can be found in {{ audit_out_dir }}`