ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-27 15:33:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Additional vars for issue #190

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-04-09 16:31:41 +01:00
parent 44911b81c3
commit 2d5ec1d474
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
1 changed files with 25 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

40
defaults/main.yml
View file

@ -1088,21 +1088,6 @@ rhel9cis_authselect_custom_profile_create: false
# to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.)
rhel9cis_authselect_custom_profile_select: false
## Section 5.6.1.x: Shadow Password Suite Parameters
rhel9cis_pass:
## Control 5.6.1.1 - Ensure password expiration is 365 days or less
# This variable governs after how many days a password expires.
# CIS requires a value of 365 or less.
max_days: 365
## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more
# This variable specifies the minimum number of days allowed between changing
# passwords. CIS requires a value of at least 1.
min_days: 7
## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more
# This variable governs, how many days before a password expires, the user will be warned.
# CIS requires a value of at least 7.
warn_age: 7
## Control 5.5.1 - Ensure password creation requirements are configured - PAM
rhel9cis_pam_password:
# This variable sets the minimum chars a password needs to be set.
@ -1171,6 +1156,31 @@ rhel9cis_add_faillock_without_authselect: false
# to 'true', in order to include the 'with-failock' option to the current authselect profile.
rhel9cis_5_4_2_risks: NEVER
## Section 5.6.1.x: Shadow Password Suite Parameters
rhel9cis_pass:
## Control 5.6.1.1 - Ensure password expiration is 365 days or less
# This variable governs after how many days a password expires.
# CIS requires a value of 365 or less.
max_days: 365
## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more
# This variable specifies the minimum number of days allowed between changing
# passwords. CIS requires a value of at least 1.
min_days: 7
## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more
# This variable governs, how many days before a password expires, the user will be warned.
# CIS requires a value of at least 7.
warn_age: 7
## Allow the forcing of setting user_max_days for logins.
# This can break current connecting user access
rhel9cis_force_user_maxdays: false
## Allow the force setting of minimum days between changing the password
rhel9cis_force_user_mindays: force
## Allow the forcing of of number of days before warning users of password expiry
rhel9cis_force_user_warnage: force
## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less
# Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 10 = 600)