ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

QA Fixes

Browse source 
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
This commit is contained in:
Frederick Witty 2026-02-10 16:01:05 -05:00
parent 2863be6c02
commit 11becb32c5
No known key found for this signature in database
GPG key ID: 0CFA99C02DE4D8C3
17 changed files with 132 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

83
defaults/main.yml
View file

@ -1,6 +1,6 @@
---
# defaults file for rhel9-cis
# defaults file for RHEL9-CIS
# WARNING:
# These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
# https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
@ -63,7 +63,7 @@ benchmark: RHEL9-CIS
# System will reboot if false, can give better audit results
skip_reboot: true
# default value will change to true but wont reboot if not enabled but will error
# default value will change to true but won't reboot if not enabled but will error
change_requires_reboot: false
###
@ -93,7 +93,7 @@ audit_capture_files_dir: /some/location to copy to on control node
# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already downloaded
# you will need access to either github or the file already downloaded
get_audit_binary_method: download
## if get_audit_binary_method - copy the following needs to be updated for your environment
@ -387,7 +387,7 @@ rhel9cis_rule_5_3_3_2_6: true
rhel9cis_rule_5_3_3_2_7: true
rhel9cis_rule_5_3_3_2_8: true
# 5.3.3.3 Configure pam_pwhistory module
# This are added as part of 5.3.2.4 using jinja2 template
# These are added as part of 5.3.2.4 using jinja2 template
rhel9cis_rule_5_3_3_3_1: true
rhel9cis_rule_5_3_3_3_2: true
rhel9cis_rule_5_3_3_3_3: true
@ -522,7 +522,7 @@ rhel9cis_rule_7_2_9: true
## Ability to enable debug on mounts to assist in troubleshooting
# Mount point changes are set based upon facts created in Prelim
# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
# these then build the variable and options that are passed to the handler to set the mount point for the controls in section1.
rhel9cis_debug_mount_data: false
## Control 1.1.2
@ -569,9 +569,9 @@ rhel9cis_selinux_enforce: enforcing
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
rhel9cis_set_boot_pass: false
################### bootloader password #####################################
################### bootloader password ############################################################
#
# Two options for for setting the bootloader password
# Two options for setting the bootloader password
#
# Option 1: Set the bootloader password and salt requires the passlib Python module
# to be available on the Ansible controller.
@ -592,7 +592,7 @@ rhel9cis_bootloader_password: 'password' # pragma: allowlist secret
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
####################################################
######################################################################################################
## Controls 1.6.x and Controls 5.1.x
# This variable governs if current Ansible role should manage system-wide crypto policy.
@ -614,7 +614,7 @@ rhel9cis_additional_crypto_policy_module: ''
# - 1.7.1 - Ensure message of the day is configured properly
# - 1.7.2 - Ensure local login warning banner is configured properly
# - 1.7.3 - Ensure remote login warning banner is configured properly
# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd).
# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd).
rhel9cis_warning_banner: Authorized users only. All activity may be monitored and reported.
# End Banner
@ -850,7 +850,7 @@ rhel9cis_sshd_clientalivecountmax: 3
rhel9cis_sshd_clientaliveinterval: 15
## Control 5.1.12 - disable forwarding
# By Default this will also disablex11 forwarding
# By Default this will also disable X11 forwarding
# set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
rhel9cis_sshd_x11forwarding: 'no'
@ -892,7 +892,7 @@ rhel9cis_ssh_maxsessions: 4
# This variable defines the path and file name of the sudo log file.
rhel9cis_sudolog_location: "/var/log/sudo.log"
## Control 5.2.x -Ensure sudo authentication timeout is configured correctly
## Control 5.2.x - Ensure sudo authentication timeout is configured correctly
# This variable sets the duration (in minutes) during which a user's authentication credentials
# are cached after successfully authenticating using "sudo". This allows the user to execute
# multiple commands with elevated privileges without needing to re-enter their password for each
@ -947,20 +947,37 @@ rhel9cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
# - 5.3.3.1.1
# This variable sets the amount of tries a password can be entered, before a user is locked.
rhel9cis_pam_faillock_deny: 5
# - 5.3.3.1.2
# This variable sets the amount of time a user will be unlocked after the max amount of
# password failures.
# password failures.
rhel9cis_pam_faillock_unlock_time: 900
# This variable represents the number of password change cycles, after which
# an user can re-use a password.
# CIS requires a value of 5 or more.
# 5.3.3.1.3 Locking even deny root or root unlock times
# rhel9cis_pamroot_lock_option options are
# even_deny_root
# root_unlock_time = {{ rhel9cis_root_unlock_time }}
rhel9cis_root_unlock_time: 60
#####################################################################################################################
# 5.3.3.1.3 | Ensure pam_faillock is configured - root account lockout behavior
#
# Controls how root is handled when the failed login threshold is reached.
#################### Two mutually exclusive options #################################################################
#
# -> even_deny_root : Lock root just like any other account
# -> root_unlock_time = <n> : Lock root but auto-unlock after <n> seconds
#
# Note: The default value is set to 'even_deny_root' to align with the CIS Benchmark recommendation of locking root
# identically to regular users when the failed login threshold is reached. If you prefer to have root auto-unlock
# after a specified time, set 'rhel9cis_pamroot_lock_option' to "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
# and adjust 'rhel9cis_root_unlock_time' as needed.
#
# Set ONE of the following:
#
# Option 1: root is locked identically to regular users when the failed login threshold is reached
rhel9cis_pamroot_lock_option: even_deny_root
# Option 2: root is locked but auto-unlocks after the specified seconds.
# Seconds before root is automatically unlocked (only used when rhel9cis_pamroot_lock_option includes root_unlock_time)
rhel9cis_root_unlock_time: 60
# rhel9cis_pamroot_lock_option: "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
#
########################################################################################################################
# 5.3.3.2.1 - password difok
rhel9cis_passwd_difok_file: etc/security/pwquality.conf.d/50-pwdifok.conf # pragma: allowlist secret
@ -995,12 +1012,9 @@ rhel9cis_passwd_maxsequence_value: 3
rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.conf # pragma: allowlist secret
rhel9cis_passwd_dictcheck_value: 1
# 5.3.3.2.7 - password quality enforce
# 5.3.3.2.7 - Ensure password quality is enforced for the root user
rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf # pragma: allowlist secret
rhel9cis_passwd_quality_enforce_value: 1
# 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7
rhel9cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret
rhel9cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret
# PWhistory
@ -1038,7 +1052,7 @@ rhel9cis_force_user_maxdays: false
# This can break current connecting user access
rhel9cis_force_user_mindays: false
## 5.4.1.x Allow the forcing of of number of days before warning users of password expiry
## 5.4.1.x Allow the forcing of number of days before warning users of password expiry
# This can break current connecting user access
rhel9cis_force_user_warnage: false
@ -1048,6 +1062,15 @@ rhel9cis_force_user_warnage: false
rhel9cis_futurepwchgdate_autofix: true
# 5.4.2.x
## 5.4.2.5 Root user used
# Root by default is not used unless setup by user
# The role will only run certain commands if set to true
# This allows the ability to skip tasks that may cause an issue
# With the understanding root has full access
rhel9cis_uses_root: false
## 5.4.2.6 - Ensure root home directory permissions are 750 or more restrictive
rhel9cis_root_umask: '0027' # 0027 or more restrictive
## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin
@ -1064,7 +1087,7 @@ rhel9cis_shell_session_timeout: 900
# This variable specifies the path of the timeout setting file.
# (TMOUT setting can be set in multiple files, but only one is required for the
# rule to pass. Options are:
# - a file in `/etc/profile.d/` ending in `.s`,
# - a file in `/etc/profile.d/` ending in `.sh`,
# - `/etc/profile`, or
# - `/etc/bash.bashrc`.
rhel9cis_shell_session_file: /etc/profile.d/tmout.sh
@ -1107,7 +1130,7 @@ rhel9cis_aide_db_file_age: 1w
# If aide already setup this forces a new DB to be created
rhel9cis_aide_db_recreate: false
# allows to change db file, not config need to be adjusted too
# allows changing the db file; note the config needs to be adjusted too
rhel9cis_aide_db_file: /var/lib/aide/aide.db.gz
## Control 6.1.2 AIDE cron settings
@ -1138,12 +1161,12 @@ rhel9cis_aide_cron:
# This variable governs the day of the month when the AIDE cronjob is run.
# `*` signifies that the job is run on all days; furthermore, specific days
# can be given in the range `1-31`; several days can be concatenated with a comma.
# The specified day(s) can must be in the range `1-31`.
# The specified day(s) must be in the range `1-31`.
aide_day: '*'
# This variable governs months when the AIDE cronjob is run.
# `*` signifies that the job is run in every month; furthermore, specific months
# can be given in the range `1-12`; several months can be concatenated with commas.
# The specified month(s) can must be in the range `1-12`.
# The specified month(s) must be in the range `1-12`.
aide_month: '*'
# This variable governs the weekdays, when the AIDE cronjob is run.
# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
@ -1185,7 +1208,7 @@ rhel9cis_journald_runtimekeepfree: 100G
# Current variable governs the settings for log retention(how long the log files will be kept).
# Thus, it specifies the maximum time to store entries in a single journal
# file before rotating to the next one. Set to 0 to turn off this feature.
# The given values is interpreted as seconds, unless suffixed with the units
# The given value is interpreted as seconds, unless suffixed with the units
# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
# ATTENTION: Uncomment the keyword below when values are set!