updated controls

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2022-04-01 15:26:13 +01:00 · 2022-04-01 15:26:13 +01:00 · f0c4701dbd
commit f0c4701dbd
parent 19a218390d
23 changed files with 238 additions and 364 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -36,6 +36,9 @@ benchmark: RHEL9-CIS
 # Whether to skip the reboot
 skip_reboot: true

+# default value will change to true but wont reboot if not enabled but will error
+change_requires_reboot: false
+
 #### Basic external goss audit enablement settings ####
 #### Precise details - per setting can be found at the bottom of this file ####

@ -345,7 +348,7 @@ rhel9cis_rule_6_2_4: true
 rhel9cis_rule_6_2_5: true
 rhel9cis_rule_6_2_6: true
 rhel9cis_rule_6_2_7: true
-rhel9cis_rule_6_2_8: false
+rhel9cis_rule_6_2_8: true
 rhel9cis_rule_6_2_9: true
 rhel9cis_rule_6_2_10: true
 rhel9cis_rule_6_2_11: true
@ -355,46 +358,19 @@ rhel9cis_rule_6_2_14: true
 rhel9cis_rule_6_2_15: true
 rhel9cis_rule_6_2_16: true

-# Service configuration booleans set true to keep service
-rhel9cis_avahi_server: false
-rhel9cis_cups_server: false
-rhel9cis_dhcp_server: false
-rhel9cis_ldap_server: false
-rhel9cis_telnet_server: false
-rhel9cis_nfs_server: false
-rhel9cis_rpc_server: false
-rhel9cis_ntalk_server: false
-rhel9cis_rsyncd_server: false
-rhel9cis_tftp_server: false
-rhel9cis_rsh_server: false
-rhel9cis_nis_server: false
-rhel9cis_snmp_server: false
-rhel9cis_squid_server: false
-rhel9cis_smb_server: false
-rhel9cis_dovecot_server: false
-rhel9cis_httpd_server: false
-rhel9cis_vsftpd_server: false
-rhel9cis_named_server: false
-rhel9cis_nfs_rpc_server: false
-rhel9cis_is_mail_server: false
-rhel9cis_bind: false
-rhel9cis_vsftpd: false
-rhel9cis_httpd: false
-rhel9cis_dovecot: false
-rhel9cis_samba: false
-rhel9cis_squid: false
-rhel9cis_net_snmp: false
-rhel9cis_allow_autofs: false

 ## Section 1 vars

-# 1.1.2
+#### 1.1.2
 # These settings go into the /etc/fstab file for the /tmp mount settings
 # The value must contain nosuid,nodev,noexec to conform to CIS standards
 # rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"
 # If set true uses the tmp.mount service else using fstab configuration
 rhel9cis_tmp_svc: false

+#### 1.1.9
+rhel9cis_allow_autofs: false
+
 # 1.2.1
 # This is the login information for your RedHat Subscription
 # DO NOT USE PLAIN TEXT PASSWORDS!!!!!
@ -407,17 +383,15 @@ rhel9cis_rh_sub_password: password
 # RedHat Satellite Subscription items
 rhel9cis_rhnsd_required: false

-# 1.3.3 var log location variable
-rhel9cis_varlog_location: "/var/log/sudo.log"

-# xinetd required
-rhel9cis_xinetd_required: false
+

 # 1.4.2 Bootloader password
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
 rhel9cis_bootloader_password: random
 rhel9cis_set_boot_pass: false

+
 # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
 # Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS.
 rhel9cis_crypto_policy: "FUTURE"
@ -433,7 +407,7 @@ rhel9cis_config_aide: true
 # AIDE cron settings
 rhel9cis_aide_cron:
    cron_user: root
-    cron_file: /etc/cron.d/aide.cron
+    cron_file: /etc/cron.d/aide_cron
    aide_job: '/usr/sbin/aide --check'
    aide_minute: 0
    aide_hour: 5
@ -445,92 +419,124 @@ rhel9cis_aide_cron:
 rhel9cis_selinux_pol: targeted

 # Whether or not to run tasks related to auditing/patching the desktop environment
-rhel9cis_gui: false

-# Set to 'true' if X Windows is needed in your environment
-rhel9cis_xwindows_required: false
+## 2. Services

-rhel9cis_openldap_clients_required: false
-rhel9cis_telnet_required: false
-rhel9cis_talk_required: false
-rhel9cis_rsh_required: false
-rhel9cis_ypbind_required: false

-# 2.2.1.1 Time Synchronization - Either chrony or ntp
-rhel9cis_time_synchronization: chrony
-
-# 2.2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
+### 2.1 Time Synchronization
+#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
 rhel9cis_time_synchronization_servers:
    - 0.pool.ntp.org
    - 1.pool.ntp.org
    - 2.pool.ntp.org
    - 3.pool.ntp.org
-
 rhel9cis_chrony_server_options: "minpoll 8"
-rhel9cis_ntp_server_options: "iburst"
+
+### 2.2 Special Purposes
+##### Service configuration booleans set true to keep service
+rhel9cis_xinetd_server: false
+rhel9cis_gui: false
+rhel9cis_avahi_server: false
+rhel9cis_cups_server: false
+rhel9cis_dhcp_server: false
+rhel9cis_dns_server: false
+rhel9cis_ftp_server: false
+rhel9cis_vsftpd_server: false
+rhel9cis_tftp_server: false
+rhel9cis_httpd_server: false
+rhel9cis_nginx_server: false
+rhel9cis_dovecot_cyrus_server: false
+rhel9cis_samba_server: false
+rhel9cis_squid_server: false
+rhel9cis_snmp_server: false
+rhel9cis_nis_server: false
+rhel9cis_telnet_server: false
+rhel9cis_is_mail_server: false
+rhel9cis_nfs_server: false
+rhel9cis_rpc_server: false
+rhel9cis_rsync_server: false
+
+#### 2.3 Service clients
+rhel9cis_ypbind_required: false
+rhel9cis_rsh_required: false
+rhel9cis_talk_required: false
+rhel9cis_telnet_required: false
+rhel9cis_openldap_clients_required: false
+rhel9cis_tftp_client: false
+

 ## Section3 vars
-# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured
-rhel9cis_host_allow:
-    - "10.0.0.0/255.0.0.0"
-    - "172.16.0.0/255.240.0.0"
-    - "192.168.0.0/255.255.0.0"
-
-# Firewall Service - either firewalld, iptables, or nftables
+### Firewall Service - either firewalld, iptables, or nftables
 rhel9cis_firewall: firewalld

-# 3.4.2.4 Default zone setting
+##### firewalld
 rhel9cis_default_zone: public
-
-# 3.4.2.5 Zone and Interface setting
-rhel9cis_int_zone: customezone
+rhel9cis_int_zone: customzone
 rhel9cis_interface: eth0
-
 rhel9cis_firewall_services:
    - ssh
    - dhcpv6-client

-# 3.4.3.2 Set nftables new table create
+#### nftables
 rhel9cis_nft_tables_autonewtable: true
 rhel9cis_nft_tables_tablename: filter
-
-# 3.4.3.3 Set nftables new chain create
 rhel9cis_nft_tables_autochaincreate: true

+#### iptables
+
 # Warning Banner Content (issue, issue.net, motd)
 rhel9cis_warning_banner: |
    Authorized uses only. All activity may be monitored and reported.
 # End Banner

 ## Section4 vars
-
+### 4.1 Configure System Accounting
+#### 4.1.2 Configure Data Retention
 rhel9cis_auditd:
    space_left_action: email
    action_mail_acct: root
    admin_space_left_action: halt
    max_log_file_action: keep_logs

-rhel9cis_logrotate: "daily"
-
 # The audit_back_log_limit value should never be below 8192
 rhel9cis_audit_back_log_limit: 8192

 # The max_log_file parameter should be based on your sites policy
 rhel9cis_max_log_file_size: 10

-# RHEL-09-4.2.1.4/4.2.1.5 remote and destation log server name
+#### 4.2.1.6 remote and destation log server name
 rhel9cis_remote_log_server: logagg.example.com

-# RHEL-09-4.2.1.5
+#### 4.2.1.7
 rhel9cis_system_is_log_server: false

+# 4.2.2.1.2
+# rhel9cis_journal_upload_url is the ip address to upload the journal entries to
+rhel9cis_journal_upload_url: 192.168.50.42
+# The paths below have the default paths/files, but allow user to create custom paths/filenames
+rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
+rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
+rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
+
+# 4.2.2.1
+# The variables below related to journald, please set these to your site specific values
+# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use
+rhel9cis_journald_systemmaxuse: 10M
+# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free
+rhel9cis_journald_systemkeepfree: 100G
+rhel9cis_journald_runtimemaxuse: 10M
+rhel9cis_journald_runtimekeepfree: 100G
+# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
+rhel9cis_journald_maxfilesec: 1month
+
+#### 4.3
+rhel9cis_logrotate: "daily"
+
 ## Section5 vars

 rhel9cis_sshd:
    clientalivecountmax: 0
    clientaliveinterval: 900
-    ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
-    macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
    logingracetime: 60
    # WARNING: make sure you understand the precedence when working with these values!!
    # allowusers:
@ -553,9 +559,10 @@ rhel9cis_ssh_maxsessions: 4
 rhel9cis_inactivelock:
    lock_days: 30

+
+rhel9cis_use_authconfig: false
 # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example
 # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk
-rhel9cis_use_authconfig: false
 rhel9cis_authselect:
    custom_profile_name: custom-profile
    default_file_to_copy: "sssd --symlink-meta"
@ -591,6 +598,11 @@ discover_int_uid: false
 min_int_uid: 1000
 max_int_uid: 65533

+# 5.3.3 var log location variable
+rhel9cis_sudolog_location: "/var/log/sudo.log"
+
+#### 5.3.6
+rhel9cis_sudo_timestamp_timeout: 15

 # RHEL-09-5.4.5
 # Session timeout setting file (TMOUT setting can be set in multiple files)