ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-27 15:33:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

removed unneeded vars

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-04-10 07:52:59 +01:00
parent c9071b361d
commit 0803f90da2
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
1 changed files with 11 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

39
defaults/main.yml
View file

@ -171,10 +171,6 @@ rhel9cis_rule_1_1_8_1: true
rhel9cis_rule_1_1_8_2: true rhel9cis_rule_1_1_8_2: true
rhel9cis_rule_1_1_8_3: true rhel9cis_rule_1_1_8_3: true
rhel9cis_rule_1_1_8_4: true rhel9cis_rule_1_1_8_4: true
rhel9cis_rule_1_1_18: true
rhel9cis_rule_1_1_19: true
rhel9cis_rule_1_1_20: true
rhel9cis_rule_1_1_21: true
rhel9cis_rule_1_1_9: true rhel9cis_rule_1_1_9: true
rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_1: true
rhel9cis_rule_1_2_2: true rhel9cis_rule_1_2_2: true
@ -371,7 +367,6 @@ rhel9cis_rule_5_5_1: true
rhel9cis_rule_5_5_2: true rhel9cis_rule_5_5_2: true
rhel9cis_rule_5_5_3: true rhel9cis_rule_5_5_3: true
rhel9cis_rule_5_5_4: true rhel9cis_rule_5_5_4: true
rhel9cis_rule_5_5_5: true
rhel9cis_rule_5_6_1_1: true rhel9cis_rule_5_6_1_1: true
rhel9cis_rule_5_6_1_2: true rhel9cis_rule_5_6_1_2: true
rhel9cis_rule_5_6_1_3: true rhel9cis_rule_5_6_1_3: true
@ -837,14 +832,12 @@ rhel9cis_auditd_extra_conf_usage: false
# Example: # Example:
# rhel9cis_auditd_extra_conf: # rhel9cis_auditd_extra_conf:
# admin_space_left: '10%' # admin_space_left: '10%'
# These variables governs the threshold(MegaBytes) under which the audit daemon should perform a
# specific action to alert that the system is running low on disk space.
rhel9cis_auditd_extra_conf: rhel9cis_auditd_extra_conf:
# This variable governs the threshold(MegaBytes) under which the audit daemon should perform a # Must be lower than the 'space_left' variable.
# specific action to alert that the system is running low on disk space. Must be lower than
# the 'space_left' variable.
admin_space_left: 50 admin_space_left: 50
# This variable governs the threshold(MegaBytes) under which the audit daemon should perform a
# specific action to alert that the system is running low on disk space(last chance to do something
# before running out of disk space). Must be lower than the 'space_left' variable.
space_left: 75 space_left: 75
## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient ## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient
@ -855,12 +848,6 @@ rhel9cis_auditd_extra_conf:
# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. # This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value.
rhel9cis_audit_back_log_limit: 8192 rhel9cis_audit_back_log_limit: 8192
## Control 4.1.2.1 - Ensure audit log storage size is configured
# This variable specifies the maximum size in MB that an audit log file can reach
# before it is archived or deleted to make space for the new audit data.
# This should be set based on your sites policy. CIS does not provide a specific value.
rhel9cis_max_log_file_size: 10
## Control 4.1.3.x - Audit template ## Control 4.1.3.x - Audit template
# This variable governs if the auditd logic should be executed(if value is true). # This variable governs if the auditd logic should be executed(if value is true).
# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules'). # NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules').
@ -1015,30 +1002,22 @@ rhel9cis_sshd:
# access for users whose user name matches one of the patterns. This is done # access for users whose user name matches one of the patterns. This is done
# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host. # If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
# allowusers: "" # allowusers: ""
# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done # for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, https://linux.die.net/man/5/sshd_config
# allowgroups: "wheel" # allowgroups: "wheel"
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
# for users whose user name matches one of the patterns. This is done # for users whose user name matches one of the patterns. This is done
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host. # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
denyusers: "nobody" denyusers: "nobody"
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access # This variable, if specified, configures a list of GROUP name patterns, separated by spaces,
# for users whose primary group or supplementary group list matches one of the patterns. This is done # to prevent SSH access for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
denygroups: "" denygroups: ""
## Control 5.2.5 - Ensure SSH LogLevel is appropriate ## Control 5.2.5 - Ensure SSH LogLevel is appropriate
@ -1176,10 +1155,12 @@ rhel9cis_pass:
rhel9cis_force_user_maxdays: false rhel9cis_force_user_maxdays: false
## Allow the force setting of minimum days between changing the password ## Allow the force setting of minimum days between changing the password
rhel9cis_force_user_mindays: force # This can break current connecting user access
rhel9cis_force_user_mindays: false
## Allow the forcing of of number of days before warning users of password expiry ## Allow the forcing of of number of days before warning users of password expiry
rhel9cis_force_user_warnage: force # This can break current connecting user access
rhel9cis_force_user_warnage: false
## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less ## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less
# Session timeout setting file (TMOUT setting can be set in multiple files) # Session timeout setting file (TMOUT setting can be set in multiple files)