Document variables in defaults/main.yml, Fix 2.

Signed-off-by: root@DERVISHx <nuno.carvalho@siemens.com>
2025-12-27 15:33:06 +00:00 · 2023-11-24 15:38:40 +00:00 · 2023-11-24 15:38:40 +00:00 · a2162dbd1b
commit a2162dbd1b
parent 50c8945565
1 changed files with 281 additions and 40 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -11,6 +11,10 @@ system_is_ec2: false
 # Supported OSs will not need for this to be changed - see README e.g. CentOS
 os_check: true

+## Switching on/off specific baseline sections
+# These variables govern whether the tasks of a particular section are to be executed when running the role.
+# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
+# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false".
 rhel9cis_section1: true
 rhel9cis_section2: true
 rhel9cis_section3: true
@ -22,6 +26,7 @@ rhel9cis_section6: true
 # e.g.
 # - level1-server
 # - level2-workstation
+# Used for audit
 rhel9cis_level_1: true
 rhel9cis_level_2: true

@ -39,7 +44,8 @@ benchmark_version: 'v1.0.0'

 benchmark: RHEL9-CIS

-# Whether to skip the reboot
+# Whether to skip the system reboot before audit
+# System will reboot if false, can give better audit results
 skip_reboot: true

 # default value will change to true but wont reboot if not enabled but will error
@ -48,21 +54,39 @@ change_requires_reboot: false
 #### Basic external goss audit enablement settings ####
 #### Precise details - per setting can be found at the bottom of this file ####

-### Goss is required on the remote host
+## Audit setup
+# Audits are carried out using Goss. This variable
+# determines whether execution of the role prepares for auditing
+# by installing the required binary.
 setup_audit: false
-# How to retrive goss
+## How to retrive goss
 # Options are copy or download - detailed settings at the bottom of this file
+# provided in variable `audit_conf_copy` for copying or
+# the url given in variable `audit_files_url` for downloading.
 # you will need to access to either github or the file already dowmloaded
 get_audit_binary_method: download

-# how to get audit files onto host options
+## How to retrieve the audit role
+# The role for auditing is maintained separately.
+# This variable specifies the method of how to get the audit role
 # options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly)
+# onto the system. The options are as follows:
+# - git: clone from git repository as specified in variable `audit_file_git` in
+#   the version specified by variable `audit_git_version`
+# - copy: copy from path as specified in variable `audit_conf_copy`
+# - get_url: Download from url as specified in variable `audit_files_url`
 audit_content: git

-# enable audits to run - this  runs the audit and get the latest content
+## Enable audits to run
+# This variable governs whether the audit using the
+# separately maintained audit role using Goss
+# is carried out.
 run_audit: false

 # Timeout for those cmds that take longer to run where timeout set
+# This variable specifies the timeout (in ms) for audit commands that
+# take a very long time: if a command takes too long to complete,
+# it will be forcefully terminated after the specified duration.
 audit_cmd_timeout: 60000

 ### End Goss enablements ####
@ -72,7 +96,9 @@ audit_cmd_timeout: 60000
 # the CIS benchmark documents.
 # PLEASE NOTE: These work in coordination with the section # group variables and tags.
 # You must enable an entire section in order for the variables below to take effect.
-# Section 1 rules
+
+# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings,
+# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager)
 rhel9cis_rule_1_1_1_1: true
 rhel9cis_rule_1_1_1_2: true
 rhel9cis_rule_1_1_2_1: true
@ -145,7 +171,7 @@ rhel9cis_rule_1_8_10: true
 rhel9cis_rule_1_9: true
 rhel9cis_rule_1_10: true

-# Section 2 rules
+# Section 2 rules are controling Services (Special Purpose Services, and service clients)
 rhel9cis_rule_2_1_1: true
 rhel9cis_rule_2_1_2: true
 rhel9cis_rule_2_2_1: true
@ -173,6 +199,7 @@ rhel9cis_rule_2_3_4: true
 rhel9cis_rule_2_4: true

 # Section 3 rules
+# Network Configuration
 rhel9cis_rule_3_1_1: true
 rhel9cis_rule_3_1_2: true
 rhel9cis_rule_3_1_3: true
@ -197,7 +224,8 @@ rhel9cis_rule_3_4_2_5: true
 rhel9cis_rule_3_4_2_6: true
 rhel9cis_rule_3_4_2_7: true

-# Section 4 rules
+# Section 4 rules are Logging and Auditing (Configure System Accounting (auditd),
+# Configure Data Retention, and Configure Logging)
 rhel9cis_rule_4_1_1_1: true
 rhel9cis_rule_4_1_1_2: true
 rhel9cis_rule_4_1_1_3: true
@ -256,7 +284,8 @@ rhel9cis_rule_4_2_2_7: true
 rhel9cis_rule_4_2_3: true
 rhel9cis_rule_4_3: true

-# Section 5 rules
+# Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers,
+# Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment)
 rhel9cis_rule_5_1_1: true
 rhel9cis_rule_5_1_2: true
 rhel9cis_rule_5_1_3: true
@ -311,7 +340,8 @@ rhel9cis_rule_5_6_4: true
 rhel9cis_rule_5_6_5: true
 rhel9cis_rule_5_6_6: true

-# Section 6 rules
+# Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings)
+rhel9cis_rule_6_1_1: true
 rhel9cis_rule_6_1_1: true
 rhel9cis_rule_6_1_2: true
 rhel9cis_rule_6_1_3: true
@ -377,10 +407,18 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4
 rhel9cis_bootloader_password: random  # pragma: allowlist secret
 rhel9cis_set_boot_pass: true

-# 1.8 Gnome Desktop
+
+## Controls 1.8.x - Settings for GDM
+# This variable specifies the GNOME configuration database file to which configurations are written.
+# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en)
+# The default database is `local`
 rhel9cis_dconf_db_name: local
-rhel9cis_screensaver_idle_delay: 900  # Set max value for idle-delay in seconds (between 1 and 900)
-rhel9cis_screensaver_lock_delay: 5  # Set max value for lock-delay in seconds (between 0 and 5)
+# This variable governs the number of seconds of inactivity before the screen goes blank.
+# Set max value for idle-delay in seconds (between 1 and 900)
+rhel9cis_screensaver_idle_delay: 900 
+# This variable governs the number of seconds the screen remains blank before it is locked.
+# Set max value for lock-delay in seconds (between 0 and 5)
+rhel9cis_screensaver_lock_delay: 5  

 # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
 # Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS.
@ -389,27 +427,67 @@ rhel9cis_crypto_policy: 'DEFAULT'
 rhel9cis_crypto_policy_module: ''

 # System network parameters (host only OR host and router)
+# This variable governs whether specific CIS rules
+# concerned with acceptance and routing of packages are skipped.
 rhel9cis_is_router: false

-# IPv6 required
+## IPv6 requirement toggle
+# This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true

-# AIDE
+## Control 1.3.1 - allow aide to be configured
+# AIDE is a file integrity checking tool, similar in nature to Tripwire.
+# While it cannot prevent intrusions, it can detect unauthorized changes
+# to configuration files by alerting when the files are changed. Review
+# the AIDE quick start guide and AIDE documentation before proceeding.
+# By setting this variable to `true`, all of the settings related to AIDE will be applied!
 rhel9cis_config_aide: true
-# AIDE cron settings
+
+## Control 1.3.2 AIDE cron settings
+# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
+# The sub-settings of this variable provide the parameters required to configure
+# the cron job on the target system.
+# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
+# and executed automatically at a certain point in time.
 rhel9cis_aide_cron:
+    # This variable represents the user account under which the cron job for AIDE will run.
    cron_user: root
+    # This variable represents the path to the AIDE crontab file.
    cron_file: /etc/cron.d/aide_cron
+    # This variable represents the actual command or script that the cron job
+    # will execute for running AIDE.
    aide_job: '/usr/sbin/aide --check'
+    # These variables define the schedule for the cron job
+    # This variable governs the minute of the time of day when the AIDE cronjob is run.
+    # It must be in the range `0-59`.
    aide_minute: 0
+    # This variable governs the hour of the time of day when the AIDE cronjob is run.
+    # It must be in the range `0-23`.
    aide_hour: 5
+    # This variable governs the day of the month when the AIDE cronjob is run.
+    # `*` signifies that the job is run on all days; furthermore, specific days
+    # can be given in the range `1-31`; several days can be concatenated with a comma.
+    # The specified day(s) can must be in the range  `1-31`.
    aide_day: '*'
+    # This variable governs months when the AIDE cronjob is run.
+    # `*` signifies that the job is run in every month; furthermore, specific months
+    # can be given in the range `1-12`; several months can be concatenated with commas.
+    # The specified month(s) can must be in the range  `1-12`.
    aide_month: '*'    
+    # This variable governs the weekdays, when the AIDE cronjob is run.
+    # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
+    # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
+    # can be concatenated with commas.
    aide_weekday: '*'

 # SELinux policy
+# This selects type of policy; targeted or mls ( multilevel )
+# mls should not be used, since it will disable unconfined policy module
+# and may prevent some services from running.
 rhel9cis_selinux_pol: targeted
 # chose onf or enfocing or permissive
+# CIS expects enforcing since permissive allows operations thet might compromise the system.
+# Even though logging still occurs.
 rhel9cis_selinux_enforce: enforcing

 # Whether or not to run tasks related to auditing/patching the desktop environment
@ -418,6 +496,11 @@ rhel9cis_selinux_enforce: enforcing

 ### 2.1 Time Synchronization
 #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
+# The following variable represents a list of of time servers used
+# for configuring chrony, timesyncd, and ntp.
+# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`.
+# The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation
+# of the time synchronization mechanism you are using.
 rhel9cis_time_synchronization_servers:
    - 0.pool.ntp.org
    - 1.pool.ntp.org
@ -426,7 +509,9 @@ rhel9cis_time_synchronization_servers:
 rhel9cis_chrony_server_options: "minpoll 8"

 ### 2.2 Special Purposes
-##### Service configuration booleans set true to keep service
+# Service configuration variables (boolean).
+# Set the respective variable to true to keep the service.
+# otherwise the service is stopped and disabled
 rhel9cis_gui: false
 rhel9cis_avahi_server: false
 rhel9cis_cups_server: false
@ -444,10 +529,12 @@ rhel9cis_squid_server: false
 rhel9cis_snmp_server: false
 rhel9cis_telnet_server: false
 rhel9cis_is_mail_server: false
-# Note the options
-# Packages are used for client services and Server- only remove if you dont use the client service
-#

+# Note the options
+# Client package configuration variables.
+# Packages are used for client services and Server, only remove if you dont use the client service
+# Set the respective variable to `true` to keep the
+# client package, otherwise it is uninstalled (false).
 rhel9cis_use_nfs_server: false
 rhel9cis_use_nfs_service: false

@ -463,8 +550,7 @@ rhel9cis_openldap_clients_required: false
 rhel9cis_tftp_client: false
 rhel9cis_ftp_client: false

-## Section3 vars
-## Sysctl
+## Section 3 vars for Sysctl
 rhel9cis_sysctl_update: false
 rhel9cis_flush_ipv4_route: false
 rhel9cis_flush_ipv6_route: false
@ -484,7 +570,11 @@ rhel9cis_firewalld_ports:
    - number: 80
      protocol: tcp

-#### nftables
+## Controls 3.5.2.x - nftables
+# The default nftables table name is "filter". This variable name will be the one all
+# "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create.
+# nftables configs are applied to.
+# options are: inet filter
 rhel9cis_nft_tables_autonewtable: true
 rhel9cis_nft_tables_tablename: filter
 rhel9cis_nft_tables_autochaincreate: true
@ -496,23 +586,60 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and
 ## Section4 vars
 ### 4.1 Configure System Accounting
 #### 4.1.2 Configure Data Retention
+## Controls what actions, when log files fill up
+# This variable controls how the audit system behaves when
+# log files are getting too full and space is getting too low.
 rhel9cis_auditd:
    space_left_action: email
    action_mail_acct: root
+    # This variable determines the action the audit system should take when disk
+    # space runs low.
+    # The options for setting this variable are as follows:
+    # - `ignore`: the system does nothing when presented with the aforementioned issue;
+    # - `syslog`: a message is sent to the system log about disk space running low;
+    # - `suspend`: the system suspends recording audit events until more space is available;
+    # - `halt`: the system is halted when disk space is critically low.
+    # - `single`: the audit daemon will put the computer system in single user mode
+    # CIS prescribes either `halt` or `single`.
    admin_space_left_action: halt
+    # This variable determines what action the audit system should take when the maximum
+    # size of a log file is reached.
+    # The options for setting this variable are as follows:
+    # - `ignore`: the system does nothing when the size of a log file is full;
+    # - `syslog`: a message is sent to the system log indicating the problem;
+    # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated;
+    # - `rotate`: the log file is rotated (archived) and a new empty log file is created;
+    # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints.
+    # CIS prescribes the value `keep_logs`.
    max_log_file_action: keep_logs

-# The audit_back_log_limit value should never be below 8192
+##  Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient
+# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
+# system can buffer in memory, if the audit subsystem is unable to process them in real-time.
+# Buffering in memory is useful in situations, where the audit system is overwhelmed
+# with incoming audit events, and needs to temporarily store them until they can be processed.
+# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value.
 rhel9cis_audit_back_log_limit: 8192

-# The max_log_file parameter should be based on your sites policy
+## Control 4.1.2.1 - Ensure audit log storage size is configured
+# This variable specifies the maximum size in MB that an audit log file can reach
+# before it is archived or deleted to make space for the new audit data.
+# This should be set based on your sites policy. CIS does not provide a specific value.
 rhel9cis_max_log_file_size: 10

-### 4.1.3.x audit template
+## 4.1.3.x - Audit template
+# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the
+# audit settings are overwritten with the role's template. In order to exclude
+# specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above
+# to `false`.
 update_audit_template: false

 ## Advanced option found in auditd post
+# users whose actions are not logged by auditd
 rhel9cis_allow_auditd_uid_user_exclusions: false
+# add a list of uids to be excluded.
+rhel9cis_auditd_uid_exclude:
+    - 1999

 # This can be used to configure other keys in auditd.conf
 rhel9cis_auditd_extra_conf: {}
@ -528,35 +655,63 @@ rhel9cis_rsyslog_ansiblemanaged: true

 #### 4.2.1.6 remote and destation log server name
 rhel9cis_remote_log_server: false
-rhel9cis_remote_log_host: logagg.example.com
+rhel9cis_remote_log_host: 192.168.2.100
 rhel9cis_remote_log_port: 514
 rhel9cis_remote_log_protocol: tcp
 rhel9cis_remote_log_retrycount: 100
 rhel9cis_remote_log_queuesize: 1000

 #### 4.2.1.7
+# This variable expresses whether the system is used as a log server or not.
+# If set to `true`, controls that interfere with log server functionality or
+# require that own system logs be sent to some other log server are skipped.
 rhel9cis_system_is_log_server: false

 # 4.2.2.1.2
 # rhel9cis_journal_upload_url is the ip address to upload the journal entries to
 rhel9cis_journal_upload_url: 192.168.50.42
-# The paths below have the default paths/files, but allow user to create custom paths/filenames
+
+## The paths below have the default paths/files, but allow user to create custom paths/filenames
+# This variable specifies the path to the private key file used by the remote journal
+# server to authenticate itself to the client. This key is used alongside the server's
+# public certificate to establish secure communication.
 rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
+# This variable specifies the path to the public certificate file of the remote journal
+# server. This certificate is used to verify the authenticity of the remote server.
 rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
+# This variable specifies the path to a file containing one or more public certificates
+# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
+# to validate the authenticity of the remote server's certificate.
 rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"

 # 4.2.2.1
 # The variables below related to journald, please set these to your site specific values
+# These variable specifies how much disk space the journal may use up at most
+# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
+# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
+# ATTENTION: Uncomment the keyword below when values are set!
 # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use
 rhel9cis_journald_systemmaxuse: 10M
 # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free
 rhel9cis_journald_systemkeepfree: 100G
+# rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most.
+# same as rhel9cis_journald_systemmaxuse.
 rhel9cis_journald_runtimemaxuse: 10M
+# rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free
+# same as rhel9cis_journald_systemkeepfree.
 rhel9cis_journald_runtimekeepfree: 100G
-# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
+# rhel9cis_journald_MaxFileSec is how long in time to keep log files.
+# This variable specifies, the maximum time to store entries in a single journal
+# file before rotating to the next one. Set to 0 to turn off this feature.
+# The given values is interpreted as seconds, unless suffixed with the units
+# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
+# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
+# ATTENTION: Uncomment the keyword below when values are set!
 rhel9cis_journald_maxfilesec: 1month

 #### 4.3
+# This variable defines the log file rotation period.
+# Options are: daily, monthly, yearly.
 rhel9cis_logrotate: "daily"

 ## Section5 vars
@ -565,20 +720,61 @@ rhel9cis_logrotate: "daily"
 rhel9_cis_sshd_config_file: /etc/ssh/sshd_config

 rhel9cis_sshd:
-    clientalivecountmax: 0
-    clientaliveinterval: 900
+    # This variable sets the maximum number of unresponsive "keep-alive" messages
+    # that can be sent from the server to the client before the connection is considered
+    # inactive and thus, closed.
+    clientalivecountmax: 3
+    # This variable sets the time interval in seconds between sending "keep-alive"
+    # messages from the server to the client. These types of messages are intended to
+    # keep the connection alive and prevent it being terminated due to inactivity.
+    clientaliveinterval: 300
+    # This variable specifies the amount of seconds allowed for successful authentication to
+    # the SSH server.
    logingracetime: 60
-    # WARNING: make sure you understand the precedence when working with these values!!
-    # allowusers:
-    # allowgroups: systems dba
-    # denyusers:
-    # denygroups:
+    # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
+    # access for users whose user name matches one of the patterns. This is done
+    # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
+    # If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
+    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+    # For more info, see https://linux.die.net/man/5/sshd_config
+    allow_users: ""
+    # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
+    # for users whose primary group or supplementary group list matches one of the patterns. This is done
+    # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
+    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+    # For more info, https://linux.die.net/man/5/sshd_config
+    allow_groups: wheel
+    # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
+    # for users whose user name matches one of the patterns. This is done
+    # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
+    # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
+    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+    # For more info, see https://linux.die.net/man/5/sshd_config
+    deny_users: nobody
+    # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
+    # for users whose primary group or supplementary group list matches one of the patterns. This is done
+    # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
+    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+    # For more info, see https://linux.die.net/man/5/sshd_config
+    deny_groups: ""

-# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE
+# 5.2.5 SSH LogLevel setting.
+# This variable is used to control the verbosity of the logging produced by the SSH server.
+# The options for setting it are as follows:
+# - `QUIET`: Minimal logging;
+# - `FATAL`: logs only fatal errors;
+# - `ERROR`: logs error messages;
+# - `INFO`: logs informational messages in addition to errors;
+# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
+# - `DEBUG`: generates very detailed debugging information including sensitive information.
+# - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1.
 rhel9cis_ssh_loglevel: INFO

 # 5.2.19 SSH MaxSessions setting. Must be 4 our less
 rhel9cis_ssh_maxsessions: 4
+## Control 5.5.1.4
+# This variable specifies the number of days of inactivity before an account will be locked.
+# CIS requires a value of 30 days or less.
 rhel9cis_inactivelock:
    lock_days: 30

@ -596,32 +792,65 @@ rhel9cis_authselect_custom_profile_create: false
 # 5.3.2 Enable automation to select custom profile options, using the settings above
 rhel9cis_authselect_custom_profile_select: false

+## Controls 5.5.1.x - Password settings
 rhel9cis_pass:
+    ## Control 5.5.1.2
+    # This variable governs after how many days a  password expires.
+    # CIS requires a value of 365 or less.
    max_days: 365
+    ## Control 5.5.1.1
+    # This variable specifies the minimum number of days allowed between changing passwords.
+    # CIS requires a value of at least 1.
    min_days: 7
+    ## Control 5.5.1.3
+    # This variable governs, how many days before a password expires, the user will be warned.
+    # CIS requires a value of at least 7.
    warn_age: 7

 # 5.5.1
 ## PAM
 rhel9cis_pam_password:
+    # This variable sets the minimum chars a password needs to be set.
    minlen: 14
+    # This variable set password complexity,the minimum number of
+    # character types that must be used (i.e., uppercase, lowercase, digits, other)
+    # Set to 2, passwords cannot have all lower/upper case.
+    # Set to 3, passwords needs numbers.
+    # set to 4, passwords will have to include all four types of characters.
    minclass: 4

 rhel9cis_pam_faillock:
+    # This variable sets the amount of time a user will be unlocked after
+    # the max amount of password failures.
    unlock_time: 900
+    # This variable sets the amount of tries a password can be entered, before a user is locked.
    deny: 5
+    # This variable represents the number of password change cycles, after which
+    # a user can re-use a password.
+    # CIS requires a value of 5 or more.
    remember: 5

 # UID settings for interactive users
 # These are discovered via logins.def if set true
 discover_int_uid: false
+# This variable sets the minimum number from which to search for UID
+# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
+# been set to `true`.
 min_int_uid: 1000
+# This variable sets the maximum number at which the search stops for UID
+# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
+# been set to `true`.
 max_int_uid: 65533

 # 5.3.3 var log location variable
+# This variable defines the path and file name of the sudo log file.
 rhel9cis_sudolog_location: "/var/log/sudo.log"

 #### 5.3.6
+# This variable sets the duration (in minutes) during which a user's authentication credentials
+# are cached after successfully authenticating using "sudo". This allows the user to execute
+# multiple commands with elevated privileges without needing to re-enter their password for each
+# command within the specified time period. CIS requires a value of at most 15 minutes.
 rhel9cis_sudo_timestamp_timeout: 15

 ### 5.4.2 authselect and faillock
@ -636,12 +865,24 @@ rhel9cis_5_4_2_risks: NEVER
 # Session timeout setting file (TMOUT setting can be set in multiple files)
 # Timeout value is in seconds. (60 seconds * 10 = 600)
 rhel9cis_shell_session_timeout:
+    # This variable specifies the path of the timeout setting file.
+    # (TMOUT setting can be set in multiple files, but only one is required for the
+    # rule to pass. Options are:
+    # - a file in `/etc/profile.d/` ending in `.s`,
+    # - `/etc/profile`, or
+    # - `/etc/bash.bashrc`.
    file: /etc/profile.d/tmout.sh
+    # This variable represents the amount of seconds a command or process is allowed to
+    # run before being forcefully terminated.
+    # CIS requires a value of at most 900 seconds.
    timeout: 600
 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
 rhel9cis_futurepwchgdate_autofix: true

-# 5.3.7
+## 5.3.7
+# This variable determines the group of users that are allowed to use the su command.
+# one to specify a user group that is allowed to use the "su" command.
+# CIS requires that such a group be created (named according to site policy) and be kept empty.
 rhel9cis_sugroup: nosugroup

 ## Section6 vars
@ -654,7 +895,7 @@ rhel9cis_no_world_write_adjust: true
 rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"

 # 6.2.16
-## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj
+## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and community for rhel8-cis reedbacj
 rhel_09_6_2_16_home_follow_symlinks: false

 #### Goss Configuration Settings ####