diff --git a/defaults/main.yml b/defaults/main.yml index 48a535f..7b24762 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,19 @@ --- # defaults file for rhel9-cis +# WARNING: +# These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: +# https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable +## Usage on containerized images +# The role discovers dynamically (in tasks/main.yml) whether it +# is executed on a container image and sets the variable +# system_is_container the true. Otherwise, the default value +# 'false' is left unchanged. system_is_container: false +# The filename of the existing yml file in role's 'vars/' sub-directory +# to be used for managing the role-behavior when a container was detected: +# (de)activating rules or for other tasks(e.g. disabling Selinux or a specific +# firewall-type). container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks @@ -14,7 +26,7 @@ os_check: true ## Switching on/off specific baseline sections # These variables govern whether the tasks of a particular section are to be executed when running the role. # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. -# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". +# If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -30,7 +42,12 @@ rhel9cis_section6: true rhel9cis_level_1: true rhel9cis_level_2: true +## 1.6 SubSection - Mandatory Access Control +# This variable governs if SELinux is disabled or not. If SELinux is NOT DISABLED by setting +# 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false +# This variable is used in a preliminary task, handling grub2 paths either in case of +# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false ## Python Binary @@ -63,29 +80,28 @@ change_requires_reboot: false # by installing the required binary. setup_audit: false -## Enable audits to run +## Enable audits to run - this runs the audit and get the latest content # This variable governs whether the audit using the # separately maintained audit role using Goss # is carried out. -# This runs the audit and get the latest content run_audit: false # Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +# This will enable files to be copied back to control node(part of audit_only) fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure(part of audit_only) audit_capture_files_dir: /some/location to copy to on control node -# How to retrieve audit binary -# Options are copy or download - detailed settings at the bottom of this file -# provided in variable `audit_conf_copy` for copying or -# the url given in variable `audit_files_url` for downloading. -# you will need to access to either github or the file already dowmloaded +## How to retrieve audit binary(Goss) +# Options are 'copy' or 'download' - detailed settings at the bottom of this file +# - if 'copy': +# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss +# - if 'download': +# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars get_audit_binary_method: download -## if get_audit_binary_method - copy the following needs to be updated for your environment +## if get_audit_binary_method is 'copy', the following var needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path @@ -95,16 +111,19 @@ audit_bin_copy_location: /some/accessible/path # This variable specifies the method of how to get the audit role # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf # onto the system. The options are as follows: -# - git: clone from git repository as specified in variable `audit_file_git` in -# the version specified by variable `audit_git_version` -# - copy: copy from path as specified in variable `audit_conf_copy` -# - get_url: Download from url as specified in variable `audit_files_url` +# - 'git': clone audit content from GitHub REPOSITORY, set up via `audit_file_git` var, and +# VERSION(e.g. branch, tag name), set up via `audit_git_version` var. +# - 'copy': copy from path as specified in variable `audit_conf_copy`. +# - 'archive': same as 'copy', only that the specified filepath needs to be unpacked. +# - 'get_url': Download from url as specified in variable `audit_files_url` audit_content: git -# archive or copy: +# This variable(only used when 'audit_content' is 'copy' or 'archive') should +# contain the filepath with audit-content to be copied/unarchived on server: audit_conf_copy: "some path to copy from" -# get_url: +# This variable(only used when 'audit_content' is 'get_url') should +# contain the URL from where the audit-content must be downloaded on server: audit_files_url: "some url maybe s3?" # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system @@ -114,7 +133,7 @@ audit_run_heavy_tests: true # This variable specifies the timeout (in ms) for audit commands that # take a very long time: if a command takes too long to complete, # it will be forcefully terminated after the specified duration. -audit_cmd_timeout: 60000 +audit_cmd_timeout: 120000 ### End Goss enablements #### @@ -122,6 +141,7 @@ audit_cmd_timeout: 60000 # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. + # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true @@ -223,8 +243,7 @@ rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true -# Section 3 rules -# Network Configuration +# Section 3 rules are used for securely configuring the network configuration(kernel params, ACL, Firewall settings) rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true @@ -367,7 +386,6 @@ rhel9cis_rule_5_6_6: true # Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings) rhel9cis_rule_6_1_1: true -rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true rhel9cis_rule_6_1_4: true