Changes after rebasing, 2

2025-12-27 15:33:06 +00:00 · 2024-01-31 00:10:24 +02:00 · 2024-01-31 00:10:24 +02:00 · d97e42e414
commit d97e42e414
parent 3fe681c0d2
1 changed files with 285 additions and 35 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -11,6 +11,10 @@ system_is_ec2: false
 # Supported OSs will not need for this to be changed - see README e.g. CentOS
 os_check: true
 ## Switching on/off specific baseline sections
 # These variables govern whether the tasks of a particular section are to be executed when running the role.
 # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
 # to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false".
 rhel9cis_section1: true
 rhel9cis_section2: true
 rhel9cis_section3: true
@ -22,6 +26,7 @@ rhel9cis_section6: true
 # e.g.
 # - level1-server
 # - level2-workstation
 # Used for audit
 rhel9cis_level_1: true
 rhel9cis_level_2: true
@ -39,7 +44,8 @@ benchmark_version: 'v1.0.0'
 benchmark: RHEL9-CIS
-# Whether to skip the reboot
+# Whether to skip the system reboot before audit
 # System will reboot if false, can give better audit results
 skip_reboot: true
 # default value will change to true but wont reboot if not enabled but will error
@ -49,12 +55,13 @@ change_requires_reboot: false
 ### Goss is required on the remote host ###
 ## Refer to vars/auditd.yml for any other settings ##
 ## Audit setup
 # Audits are carried out using Goss. This variable
 # determines whether execution of the role prepares for auditing
 # by installing the required binary.
 # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
 # enable audits to run - this runs the audit and get the latest content
 run_audit: false
 # Only run Audit do not remediate
 audit_only: false
 # As part of audit_only
@ -64,7 +71,10 @@ fetch_audit_files: false
 audit_capture_files_dir: /some/location to copy to on control node
 # How to retrieve audit binary
 ## How to retrive goss
 # Options are copy or download - detailed settings at the bottom of this file
 # provided in variable `audit_conf_copy` for copying or
 # the url given in variable `audit_files_url` for downloading.
 # you will need to access to either github or the file already dowmloaded
 get_audit_binary_method: download
@ -75,6 +85,15 @@ audit_bin_copy_location: /some/accessible/path
 # how to get audit files onto host options
 # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
 ## How to retrieve the audit role
 # The role for auditing is maintained separately.
 # This variable specifies the method of how to get the audit role
 # options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly)
 # onto the system. The options are as follows:
 # - git: clone from git repository as specified in variable `audit_file_git` in
 #   the version specified by variable `audit_git_version`
 # - copy: copy from path as specified in variable `audit_conf_copy`
 # - get_url: Download from url as specified in variable `audit_files_url`
 audit_content: git
 # archive or copy:
@ -82,6 +101,11 @@ audit_conf_copy: "some path to copy from"
 # get_url:
 audit_files_url: "some url maybe s3?"
 ## Enable audits to run
 # This variable governs whether the audit using the
 # separately maintained audit role using Goss
 # is carried out.
 run_audit: false
 # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
 audit_run_heavy_tests: true
@ -92,12 +116,15 @@ audit_run_heavy_tests: true
 audit_cmd_timeout: 120000
 ### End Goss enablements ####
 #### Detailed settings found at the end of this document ####
 # These variables correspond with the CIS rule IDs or paragraph numbers defined in
 # the CIS benchmark documents.
 # PLEASE NOTE: These work in coordination with the section # group variables and tags.
 # You must enable an entire section in order for the variables below to take effect.
-# Section 1 rules
+
 # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings,
 # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager)
 rhel9cis_rule_1_1_1_1: true
 rhel9cis_rule_1_1_1_2: true
 rhel9cis_rule_1_1_2_1: true
@ -170,7 +197,7 @@ rhel9cis_rule_1_8_10: true
 rhel9cis_rule_1_9: true
 rhel9cis_rule_1_10: true
-# Section 2 rules
+# Section 2 rules are controling Services (Special Purpose Services, and service clients)
 rhel9cis_rule_2_1_1: true
 rhel9cis_rule_2_1_2: true
 rhel9cis_rule_2_2_1: true
@ -198,6 +225,7 @@ rhel9cis_rule_2_3_4: true
 rhel9cis_rule_2_4: true
 # Section 3 rules
 # Network Configuration
 rhel9cis_rule_3_1_1: true
 rhel9cis_rule_3_1_2: true
 rhel9cis_rule_3_1_3: true
@ -222,7 +250,8 @@ rhel9cis_rule_3_4_2_5: true
 rhel9cis_rule_3_4_2_6: true
 rhel9cis_rule_3_4_2_7: true
-# Section 4 rules
+# Section 4 rules are Logging and Auditing (Configure System Accounting (auditd),
 # Configure Data Retention, and Configure Logging)
 rhel9cis_rule_4_1_1_1: true
 rhel9cis_rule_4_1_1_2: true
 rhel9cis_rule_4_1_1_3: true
@ -281,7 +310,8 @@ rhel9cis_rule_4_2_2_7: true
 rhel9cis_rule_4_2_3: true
 rhel9cis_rule_4_3: true
-# Section 5 rules
+# Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers,
 # Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment)
 rhel9cis_rule_5_1_1: true
 rhel9cis_rule_5_1_2: true
 rhel9cis_rule_5_1_3: true
@ -336,7 +366,7 @@ rhel9cis_rule_5_6_4: true
 rhel9cis_rule_5_6_5: true
 rhel9cis_rule_5_6_6: true
-# Section 6 rules
+# Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings)
 rhel9cis_rule_6_1_1: true
 rhel9cis_rule_6_1_2: true
 rhel9cis_rule_6_1_3: true
@ -402,10 +432,18 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4
 rhel9cis_bootloader_password: random  # pragma: allowlist secret
 rhel9cis_set_boot_pass: true
-# 1.8 Gnome Desktop
+
 ## Controls 1.8.x - Settings for GDM
 # This variable specifies the GNOME configuration database file to which configurations are written.
 # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en)
 # The default database is `local`
 rhel9cis_dconf_db_name: local
-rhel9cis_screensaver_idle_delay: 900  # Set max value for idle-delay in seconds (between 1 and 900)
+# This variable governs the number of seconds of inactivity before the screen goes blank.
-rhel9cis_screensaver_lock_delay: 5  # Set max value for lock-delay in seconds (between 0 and 5)
+# Set max value for idle-delay in seconds (between 1 and 900)
 rhel9cis_screensaver_idle_delay: 900
 # This variable governs the number of seconds the screen remains blank before it is locked.
 # Set max value for lock-delay in seconds (between 0 and 5)
 rhel9cis_screensaver_lock_delay: 5
 # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
 # Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS.
@ -414,27 +452,67 @@ rhel9cis_crypto_policy: 'DEFAULT'
 rhel9cis_crypto_policy_module: ''
 # System network parameters (host only OR host and router)
 # This variable governs whether specific CIS rules
 # concerned with acceptance and routing of packages are skipped.
 rhel9cis_is_router: false
-# IPv6 required
+## IPv6 requirement toggle
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true
-# AIDE
+## Control 1.3.1 - allow aide to be configured
 # AIDE is a file integrity checking tool, similar in nature to Tripwire.
 # While it cannot prevent intrusions, it can detect unauthorized changes
 # to configuration files by alerting when the files are changed. Review
 # the AIDE quick start guide and AIDE documentation before proceeding.
 # By setting this variable to `true`, all of the settings related to AIDE will be applied!
 rhel9cis_config_aide: true
-# AIDE cron settings
+
 ## Control 1.3.2 AIDE cron settings
 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
 # The sub-settings of this variable provide the parameters required to configure
 # the cron job on the target system.
 # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
 # and executed automatically at a certain point in time.
 rhel9cis_aide_cron:
    # This variable represents the user account under which the cron job for AIDE will run.
    cron_user: root
    # This variable represents the path to the AIDE crontab file.
    cron_file: /etc/cron.d/aide_cron
    # This variable represents the actual command or script that the cron job
    # will execute for running AIDE.
    aide_job: '/usr/sbin/aide --check'
    # These variables define the schedule for the cron job
    # This variable governs the minute of the time of day when the AIDE cronjob is run.
    # It must be in the range `0-59`.
    aide_minute: 0
    # This variable governs the hour of the time of day when the AIDE cronjob is run.
    # It must be in the range `0-23`.
    aide_hour: 5
    # This variable governs the day of the month when the AIDE cronjob is run.
    # `*` signifies that the job is run on all days; furthermore, specific days
    # can be given in the range `1-31`; several days can be concatenated with a comma.
    # The specified day(s) can must be in the range  `1-31`.
    aide_day: '*'
    # This variable governs months when the AIDE cronjob is run.
    # `*` signifies that the job is run in every month; furthermore, specific months
    # can be given in the range `1-12`; several months can be concatenated with commas.
    # The specified month(s) can must be in the range  `1-12`.
    aide_month: '*'
    # This variable governs the weekdays, when the AIDE cronjob is run.
    # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
    # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
    # can be concatenated with commas.
    aide_weekday: '*'
 # SELinux policy
 # This selects type of policy; targeted or mls ( multilevel )
 # mls should not be used, since it will disable unconfined policy module
 # and may prevent some services from running.
 rhel9cis_selinux_pol: targeted
 # chose onf or enfocing or permissive
 # CIS expects enforcing since permissive allows operations thet might compromise the system.
 # Even though logging still occurs.
 rhel9cis_selinux_enforce: enforcing
 # Whether or not to run tasks related to auditing/patching the desktop environment
@ -443,6 +521,11 @@ rhel9cis_selinux_enforce: enforcing
 ### 2.1 Time Synchronization
 #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
 # The following variable represents a list of of time servers used
 # for configuring chrony, timesyncd, and ntp.
 # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`.
 # The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation
 # of the time synchronization mechanism you are using.
 rhel9cis_time_synchronization_servers:
    - 0.pool.ntp.org
    - 1.pool.ntp.org
@ -454,7 +537,9 @@ rhel9cis_chrony_server_makestep: "1.0 3"
 rhel9cis_chrony_server_minsources: 2
 ### 2.2 Special Purposes
-##### Service configuration booleans set true to keep service
+# Service configuration variables (boolean).
 # Set the respective variable to true to keep the service.
 # otherwise the service is stopped and disabled
 rhel9cis_gui: false
 rhel9cis_avahi_server: false
 rhel9cis_cups_server: false
@ -472,10 +557,12 @@ rhel9cis_squid_server: false
 rhel9cis_snmp_server: false
 rhel9cis_telnet_server: false
 rhel9cis_is_mail_server: false
 # Note the options
 # Packages are used for client services and Server- only remove if you dont use the client service
 #
 # Note the options
 # Client package configuration variables.
 # Packages are used for client services and Server, only remove if you dont use the client service
 # Set the respective variable to `true` to keep the
 # client package, otherwise it is uninstalled (false).
 rhel9cis_use_nfs_server: false
 rhel9cis_use_nfs_service: false
@ -491,8 +578,7 @@ rhel9cis_openldap_clients_required: false
 rhel9cis_tftp_client: false
 rhel9cis_ftp_client: false
-## Section3 vars
+## Section 3 vars for Sysctl
 ## Sysctl
 rhel9cis_sysctl_update: false
 rhel9cis_flush_ipv4_route: false
 rhel9cis_flush_ipv6_route: false
@ -512,7 +598,11 @@ rhel9cis_firewalld_ports:
    - number: 80
      protocol: tcp
-#### nftables
+## Controls 3.5.2.x - nftables
 # The default nftables table name is "filter". This variable name will be the one all
 # "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create.
 # nftables configs are applied to.
 # options are: inet filter
 rhel9cis_nft_tables_autonewtable: true
 rhel9cis_nft_tables_tablename: filter
 rhel9cis_nft_tables_autochaincreate: true
@ -524,14 +614,41 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and
 ## Section4 vars
 ### 4.1 Configure System Accounting
 #### 4.1.2 Configure Data Retention
 ## Controls what actions, when log files fill up
 # This variable controls how the audit system behaves when
 # log files are getting too full and space is getting too low.
 rhel9cis_auditd:
    space_left_action: email
    action_mail_acct: root
    # This variable determines the action the audit system should take when disk
    # space runs low.
    # The options for setting this variable are as follows:
    # - `ignore`: the system does nothing when presented with the aforementioned issue;
    # - `syslog`: a message is sent to the system log about disk space running low;
    # - `suspend`: the system suspends recording audit events until more space is available;
    # - `halt`: the system is halted when disk space is critically low.
    # - `single`: the audit daemon will put the computer system in single user mode
    # CIS prescribes either `halt` or `single`.
    admin_space_left_action: halt
    # This variable determines what action the audit system should take when the maximum
    # size of a log file is reached.
    # The options for setting this variable are as follows:
    # - `ignore`: the system does nothing when the size of a log file is full;
    # - `syslog`: a message is sent to the system log indicating the problem;
    # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated;
    # - `rotate`: the log file is rotated (archived) and a new empty log file is created;
    # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints.
    # CIS prescribes the value `keep_logs`.
    max_log_file_action: keep_logs
    # The max_log_file parameter should be based on your sites policy.
    max_log_file: 10
    max_log_file_action: keep_logs
 ##  Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient
 # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
 # system can buffer in memory, if the audit subsystem is unable to process them in real-time.
 # Buffering in memory is useful in situations, where the audit system is overwhelmed
 # with incoming audit events, and needs to temporarily store them until they can be processed.
 # This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value.
 # This value governs if the below extra-vars for auditd should be used by the role
 rhel9cis_auditd_extra_conf_usage: false
@ -543,14 +660,33 @@ rhel9cis_auditd_extra_conf:
    admin_space_left: 50
    space_left: 75
-# The audit_back_log_limit value should never be below 8192
+##  Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient
 # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
 # system can buffer in memory, if the audit subsystem is unable to process them in real-time.
 # Buffering in memory is useful in situations, where the audit system is overwhelmed
 # with incoming audit events, and needs to temporarily store them until they can be processed.
 # This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value.
 rhel9cis_audit_back_log_limit: 8192
-### 4.1.3.x audit template
+## Control 4.1.2.1 - Ensure audit log storage size is configured
 # This variable specifies the maximum size in MB that an audit log file can reach
 # before it is archived or deleted to make space for the new audit data.
 # This should be set based on your sites policy. CIS does not provide a specific value.
 rhel9cis_max_log_file_size: 10
 ## 4.1.3.x - Audit template
 # This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the
 # audit settings are overwritten with the role's template. In order to exclude
 # specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above
 # to `false`.
 update_audit_template: false
 ## Advanced option found in auditd post
 # users whose actions are not logged by auditd
 rhel9cis_allow_auditd_uid_user_exclusions: false
 # add a list of uids to be excluded.
 rhel9cis_auditd_uid_exclude:
    - 1999
 ## Preferred method of logging
 ## Whether rsyslog or journald preferred method for local logging
@ -567,28 +703,56 @@ rhel9cis_remote_log_retrycount: 100
 rhel9cis_remote_log_queuesize: 1000
 #### 4.2.1.7
 # This variable expresses whether the system is used as a log server or not.
 # If set to `true`, controls that interfere with log server functionality or
 # require that own system logs be sent to some other log server are skipped.
 rhel9cis_system_is_log_server: false
 # 4.2.2.1.2
 # rhel9cis_journal_upload_url is the ip address to upload the journal entries to
 rhel9cis_journal_upload_url: 192.168.50.42
-# The paths below have the default paths/files, but allow user to create custom paths/filenames
+
 ## The paths below have the default paths/files, but allow user to create custom paths/filenames
 # This variable specifies the path to the private key file used by the remote journal
 # server to authenticate itself to the client. This key is used alongside the server's
 # public certificate to establish secure communication.
 rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
 # This variable specifies the path to the public certificate file of the remote journal
 # server. This certificate is used to verify the authenticity of the remote server.
 rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
 # This variable specifies the path to a file containing one or more public certificates
 # of certificate authorities (CAs) that the client trusts. These trusted certificates are used
 # to validate the authenticity of the remote server's certificate.
 rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
 # 4.2.2.1
 # The variables below related to journald, please set these to your site specific values
 # These variable specifies how much disk space the journal may use up at most
 # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
 # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
 # ATTENTION: Uncomment the keyword below when values are set!
 # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use
 rhel9cis_journald_systemmaxuse: 10M
 # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free
 rhel9cis_journald_systemkeepfree: 100G
 # rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most.
 # same as rhel9cis_journald_systemmaxuse.
 rhel9cis_journald_runtimemaxuse: 10M
 # rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free
 # same as rhel9cis_journald_systemkeepfree.
 rhel9cis_journald_runtimekeepfree: 100G
-# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
+# rhel9cis_journald_MaxFileSec is how long in time to keep log files.
 # This variable specifies, the maximum time to store entries in a single journal
 # file before rotating to the next one. Set to 0 to turn off this feature.
 # The given values is interpreted as seconds, unless suffixed with the units
 # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
 # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
 # ATTENTION: Uncomment the keyword below when values are set!
 rhel9cis_journald_maxfilesec: 1month
 #### 4.3
 # This variable defines the log file rotation period.
 # Options are: daily, monthly, yearly.
 rhel9cis_logrotate: "daily"
 ## Section5 vars
@ -597,20 +761,61 @@ rhel9cis_logrotate: "daily"
 rhel9_cis_sshd_config_file: /etc/ssh/sshd_config
 rhel9cis_sshd:
    # This variable sets the maximum number of unresponsive "keep-alive" messages
    # that can be sent from the server to the client before the connection is considered
    # inactive and thus, closed.
    clientalivecountmax: 0
    # This variable sets the time interval in seconds between sending "keep-alive"
    # messages from the server to the client. These types of messages are intended to
    # keep the connection alive and prevent it being terminated due to inactivity.
    clientaliveinterval: 900
    # This variable specifies the amount of seconds allowed for successful authentication to
    # the SSH server.
    logingracetime: 60
-    # WARNING: make sure you understand the precedence when working with these values!!
+    # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
-    # allowusers:
+    # access for users whose user name matches one of the patterns. This is done
-    # allowgroups: systems dba
+    # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
-    # denyusers:
+    # If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
-    # denygroups:
+    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
    # For more info, see https://linux.die.net/man/5/sshd_config
    allow_users: ""
    # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
    # for users whose primary group or supplementary group list matches one of the patterns. This is done
    # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
    # For more info, https://linux.die.net/man/5/sshd_config
    allow_groups: wheel
    # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
    # for users whose user name matches one of the patterns. This is done
    # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
    # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
    # For more info, see https://linux.die.net/man/5/sshd_config
    deny_users: nobody
    # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
    # for users whose primary group or supplementary group list matches one of the patterns. This is done
    # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
    # For more info, see https://linux.die.net/man/5/sshd_config
    deny_groups: ""
-# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE
+# 5.2.5 SSH LogLevel setting.
 # This variable is used to control the verbosity of the logging produced by the SSH server.
 # The options for setting it are as follows:
 # - `QUIET`: Minimal logging;
 # - `FATAL`: logs only fatal errors;
 # - `ERROR`: logs error messages;
 # - `INFO`: logs informational messages in addition to errors;
 # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
 # - `DEBUG`: generates very detailed debugging information including sensitive information.
 # - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1.
 rhel9cis_ssh_loglevel: INFO
 # 5.2.19 SSH MaxSessions setting. Must be 4 our less
 rhel9cis_ssh_maxsessions: 4
 ## Control 5.5.1.4
 # This variable specifies the number of days of inactivity before an account will be locked.
 # CIS requires a value of 30 days or less.
 rhel9cis_inactivelock:
    lock_days: 30
@ -628,32 +833,65 @@ rhel9cis_authselect_custom_profile_create: false
 # 5.3.2 Enable automation to select custom profile options, using the settings above
 rhel9cis_authselect_custom_profile_select: false
 ## Controls 5.5.1.x - Password settings
 rhel9cis_pass:
    ## Control 5.5.1.2
    # This variable governs after how many days a  password expires.
    # CIS requires a value of 365 or less.
    max_days: 365
    ## Control 5.5.1.1
    # This variable specifies the minimum number of days allowed between changing passwords.
    # CIS requires a value of at least 1.
    min_days: 7
    ## Control 5.5.1.3
    # This variable governs, how many days before a password expires, the user will be warned.
    # CIS requires a value of at least 7.
    warn_age: 7
 # 5.5.1
 ## PAM
 rhel9cis_pam_password:
    # This variable sets the minimum chars a password needs to be set.
    minlen: 14
    # This variable set password complexity,the minimum number of
    # character types that must be used (i.e., uppercase, lowercase, digits, other)
    # Set to 2, passwords cannot have all lower/upper case.
    # Set to 3, passwords needs numbers.
    # set to 4, passwords will have to include all four types of characters.
    minclass: 4
 rhel9cis_pam_faillock:
    # This variable sets the amount of time a user will be unlocked after
    # the max amount of password failures.
    unlock_time: 900
    # This variable sets the amount of tries a password can be entered, before a user is locked.
    deny: 5
    # This variable represents the number of password change cycles, after which
    # a user can re-use a password.
    # CIS requires a value of 5 or more.
    remember: 5
 # UID settings for interactive users
 # These are discovered via logins.def if set true
 discover_int_uid: false
 # This variable sets the minimum number from which to search for UID
 # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
 # been set to `true`.
 min_int_uid: 1000
 # This variable sets the maximum number at which the search stops for UID
 # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
 # been set to `true`.
 max_int_uid: 65533
 # 5.3.3 var log location variable
 # This variable defines the path and file name of the sudo log file.
 rhel9cis_sudolog_location: "/var/log/sudo.log"
 #### 5.3.6
 # This variable sets the duration (in minutes) during which a user's authentication credentials
 # are cached after successfully authenticating using "sudo". This allows the user to execute
 # multiple commands with elevated privileges without needing to re-enter their password for each
 # command within the specified time period. CIS requires a value of at most 15 minutes.
 rhel9cis_sudo_timestamp_timeout: 15
 ### 5.4.2 authselect and faillock
@ -668,12 +906,24 @@ rhel9cis_5_4_2_risks: NEVER
 # Session timeout setting file (TMOUT setting can be set in multiple files)
 # Timeout value is in seconds. (60 seconds * 10 = 600)
 rhel9cis_shell_session_timeout:
    # This variable specifies the path of the timeout setting file.
    # (TMOUT setting can be set in multiple files, but only one is required for the
    # rule to pass. Options are:
    # - a file in `/etc/profile.d/` ending in `.s`,
    # - `/etc/profile`, or
    # - `/etc/bash.bashrc`.
    file: /etc/profile.d/tmout.sh
    # This variable represents the amount of seconds a command or process is allowed to
    # run before being forcefully terminated.
    # CIS requires a value of at most 900 seconds.
    timeout: 600
 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
 rhel9cis_futurepwchgdate_autofix: true
-# 5.3.7
+## 5.3.7
 # This variable determines the group of users that are allowed to use the su command.
 # one to specify a user group that is allowed to use the "su" command.
 # CIS requires that such a group be created (named according to site policy) and be kept empty.
 rhel9cis_sugroup: nosugroup
 ## Section6 vars
@ -686,7 +936,7 @@ rhel9cis_no_world_write_adjust: true
 rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
 # 6.2.16
-## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj
+## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and community for rhel8-cis reedbacj
 rhel_09_6_2_16_home_follow_symlinks: false
 #### Goss Configuration Settings ####