--- # defaults file for rhel9-cis # WARNING: # These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable ## Usage on containerized images # The role discovers dynamically (in tasks/main.yml) whether it # is executed on a container image and sets the variable # system_is_container the true. Otherwise, the default value # 'false' is left unchanged. system_is_container: false # The filename of the existing yml file in role's 'vars/' sub-directory # to be used for managing the role-behavior when a container was detected: # (de)activating rules or for other tasks(e.g. disabling Selinux or a specific # firewall-type). container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false # Run the OS validation check # Supported OSs will not need for this to be changed - see README e.g. CentOS os_check: true ## Switching on/off specific baseline sections # These variables govern whether the tasks of a particular section are to be executed when running the role. # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. # If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true rhel9cis_section4: true rhel9cis_section5: true rhel9cis_section6: true # This is used for audit purposes to run only specifc level use the tags # e.g. # - level1-server # - level2-workstation rhel9cis_level_1: true rhel9cis_level_2: true ## 1.6 SubSection - Mandatory Access Control # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false # This variable is used in a preliminary task, handling grub2 paths either in case of # UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false ## Python Binary ## This is used for python3 Installations where python2 OS modules are used in ansible python2_bin: /bin/python2.7 ## Benchmark name used by audting control role # The audit variable found at the base ## metadata for Audit benchmark benchmark_version: 'v1.0.0' benchmark: RHEL9-CIS # Whether to skip the system reboot before audit # System will reboot if false, can give better audit results skip_reboot: true # default value will change to true but wont reboot if not enabled but will error change_requires_reboot: false ########################################## ### Goss is required on the remote host ### ## Refer to vars/auditd.yml for any other settings ## #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### ## Audit setup # Audits are carried out using Goss. This variable # determines whether execution of the role prepares for auditing # by installing the required binary. setup_audit: false ## Enable audits to run - this runs the audit and get the latest content # This variable governs whether the audit using the # separately maintained audit role using Goss # is carried out. run_audit: false # Only run Audit do not remediate audit_only: false # This will enable files to be copied back to control node(part of audit_only) fetch_audit_files: false # Path to copy the files to will create dir structure(part of audit_only) audit_capture_files_dir: /some/location to copy to on control node ## How to retrieve audit binary(Goss) # Options are 'copy' or 'download' - detailed settings at the bottom of this file # - if 'copy': # - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss # - if 'download': # - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars get_audit_binary_method: download ## if get_audit_binary_method is 'copy', the following var needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path ## How to retrieve the audit role # The role for auditing is maintained separately. # This variable specifies the method of how to get the audit role # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf # onto the system. The options are as follows: # - 'git': clone audit content from GitHub REPOSITORY, set up via `audit_file_git` var, and # VERSION(e.g. branch, tag name), set up via `audit_git_version` var. # - 'copy': copy from path as specified in variable `audit_conf_copy`. # - 'archive': same as 'copy', only that the specified filepath needs to be unpacked. # - 'get_url': Download from url as specified in variable `audit_files_url` audit_content: git # This variable(only used when 'audit_content' is 'copy' or 'archive') should # contain the filepath with audit-content to be copied/unarchived on server: audit_conf_copy: "some path to copy from" # This variable(only used when 'audit_content' is 'get_url') should # contain the URL from where the audit-content must be downloaded on server: audit_files_url: "some url maybe s3?" # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true # Timeout for those cmds that take longer to run where timeout set # This variable specifies the timeout (in ms) for audit commands that # take a very long time: if a command takes too long to complete, # it will be forcefully terminated after the specified duration. audit_cmd_timeout: 120000 ### End Goss enablements #### # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_2_1: true rhel9cis_rule_1_1_2_2: true rhel9cis_rule_1_1_2_3: true rhel9cis_rule_1_1_2_4: true rhel9cis_rule_1_1_3_1: true rhel9cis_rule_1_1_3_2: true rhel9cis_rule_1_1_3_3: true rhel9cis_rule_1_1_4_1: true rhel9cis_rule_1_1_4_2: true rhel9cis_rule_1_1_4_3: true rhel9cis_rule_1_1_4_4: true rhel9cis_rule_1_1_5_1: true rhel9cis_rule_1_1_5_2: true rhel9cis_rule_1_1_5_3: true rhel9cis_rule_1_1_5_4: true rhel9cis_rule_1_1_6_1: true rhel9cis_rule_1_1_6_2: true rhel9cis_rule_1_1_6_3: true rhel9cis_rule_1_1_6_4: true rhel9cis_rule_1_1_7_1: true rhel9cis_rule_1_1_7_2: true rhel9cis_rule_1_1_7_3: true rhel9cis_rule_1_1_8_1: true rhel9cis_rule_1_1_8_2: true rhel9cis_rule_1_1_8_3: true rhel9cis_rule_1_1_8_4: true rhel9cis_rule_1_1_18: true rhel9cis_rule_1_1_19: true rhel9cis_rule_1_1_20: true rhel9cis_rule_1_1_21: true rhel9cis_rule_1_1_9: true rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_2: true rhel9cis_rule_1_2_3: true rhel9cis_rule_1_2_4: true rhel9cis_rule_1_3_1: true rhel9cis_rule_1_3_2: true rhel9cis_rule_1_3_3: true rhel9cis_rule_1_4_1: true rhel9cis_rule_1_4_2: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true rhel9cis_rule_1_6_1_1: true rhel9cis_rule_1_6_1_2: true rhel9cis_rule_1_6_1_3: true rhel9cis_rule_1_6_1_4: true rhel9cis_rule_1_6_1_5: true rhel9cis_rule_1_6_1_6: true rhel9cis_rule_1_6_1_7: true rhel9cis_rule_1_6_1_8: true rhel9cis_rule_1_7_1: true rhel9cis_rule_1_7_2: true rhel9cis_rule_1_7_3: true rhel9cis_rule_1_7_4: true rhel9cis_rule_1_7_5: true rhel9cis_rule_1_7_6: true rhel9cis_rule_1_8_1: true rhel9cis_rule_1_8_2: true rhel9cis_rule_1_8_3: true rhel9cis_rule_1_8_4: true rhel9cis_rule_1_8_5: true rhel9cis_rule_1_8_6: true rhel9cis_rule_1_8_7: true rhel9cis_rule_1_8_8: true rhel9cis_rule_1_8_9: true rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true # Section 2 rules are controling Services (Special Purpose Services, and service clients) rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_2_1: true rhel9cis_rule_2_2_2: true rhel9cis_rule_2_2_3: true rhel9cis_rule_2_2_4: true rhel9cis_rule_2_2_5: true rhel9cis_rule_2_2_6: true rhel9cis_rule_2_2_7: true rhel9cis_rule_2_2_8: true rhel9cis_rule_2_2_9: true rhel9cis_rule_2_2_10: true rhel9cis_rule_2_2_11: true rhel9cis_rule_2_2_12: true rhel9cis_rule_2_2_13: true rhel9cis_rule_2_2_14: true rhel9cis_rule_2_2_15: true rhel9cis_rule_2_2_16: true rhel9cis_rule_2_2_17: true rhel9cis_rule_2_2_18: true rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true # Section 3 rules are used for securely configuring the network configuration(kernel params, ACL, Firewall settings) rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_2: true rhel9cis_rule_3_3_1: true rhel9cis_rule_3_3_2: true rhel9cis_rule_3_3_3: true rhel9cis_rule_3_3_4: true rhel9cis_rule_3_3_5: true rhel9cis_rule_3_3_6: true rhel9cis_rule_3_3_7: true rhel9cis_rule_3_3_8: true rhel9cis_rule_3_3_9: true rhel9cis_rule_3_4_1_1: true rhel9cis_rule_3_4_1_2: true rhel9cis_rule_3_4_2_1: true rhel9cis_rule_3_4_2_2: true rhel9cis_rule_3_4_2_3: true rhel9cis_rule_3_4_2_4: true rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true # Section 4 rules are Logging and Auditing (Configure System Accounting (auditd), # Configure Data Retention, and Configure Logging) rhel9cis_rule_4_1_1_1: true rhel9cis_rule_4_1_1_2: true rhel9cis_rule_4_1_1_3: true rhel9cis_rule_4_1_1_4: true rhel9cis_rule_4_1_2_1: true rhel9cis_rule_4_1_2_2: true rhel9cis_rule_4_1_2_3: true rhel9cis_rule_4_1_3_1: true rhel9cis_rule_4_1_3_2: true rhel9cis_rule_4_1_3_3: true rhel9cis_rule_4_1_3_4: true rhel9cis_rule_4_1_3_5: true rhel9cis_rule_4_1_3_6: true rhel9cis_rule_4_1_3_7: true rhel9cis_rule_4_1_3_8: true rhel9cis_rule_4_1_3_9: true rhel9cis_rule_4_1_3_10: true rhel9cis_rule_4_1_3_11: true rhel9cis_rule_4_1_3_12: true rhel9cis_rule_4_1_3_13: true rhel9cis_rule_4_1_3_14: true rhel9cis_rule_4_1_3_15: true rhel9cis_rule_4_1_3_16: true rhel9cis_rule_4_1_3_17: true rhel9cis_rule_4_1_3_18: true rhel9cis_rule_4_1_3_19: true rhel9cis_rule_4_1_3_20: true rhel9cis_rule_4_1_3_21: true rhel9cis_rule_4_1_4_1: true rhel9cis_rule_4_1_4_2: true rhel9cis_rule_4_1_4_3: true rhel9cis_rule_4_1_4_4: true rhel9cis_rule_4_1_4_5: true rhel9cis_rule_4_1_4_6: true rhel9cis_rule_4_1_4_7: true rhel9cis_rule_4_1_4_8: true rhel9cis_rule_4_1_4_9: true rhel9cis_rule_4_1_4_10: true rhel9cis_rule_4_2_1_1: true rhel9cis_rule_4_2_1_2: true rhel9cis_rule_4_2_1_3: true rhel9cis_rule_4_2_1_4: true rhel9cis_rule_4_2_1_5: true rhel9cis_rule_4_2_1_6: true rhel9cis_rule_4_2_1_7: true rhel9cis_rule_4_2_2_1_1: true rhel9cis_rule_4_2_2_1_2: true rhel9cis_rule_4_2_2_1_3: true rhel9cis_rule_4_2_2_1_4: true rhel9cis_rule_4_2_2_2: true rhel9cis_rule_4_2_2_3: true rhel9cis_rule_4_2_2_4: true rhel9cis_rule_4_2_2_5: true rhel9cis_rule_4_2_2_6: true rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true rhel9cis_rule_4_3: true # Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers, # Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment) rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_2: true rhel9cis_rule_5_1_3: true rhel9cis_rule_5_1_4: true rhel9cis_rule_5_1_5: true rhel9cis_rule_5_1_6: true rhel9cis_rule_5_1_7: true rhel9cis_rule_5_1_8: true rhel9cis_rule_5_1_9: true rhel9cis_rule_5_2_1: true rhel9cis_rule_5_2_2: true rhel9cis_rule_5_2_3: true rhel9cis_rule_5_2_4: true rhel9cis_rule_5_2_5: true rhel9cis_rule_5_2_6: true rhel9cis_rule_5_2_7: true rhel9cis_rule_5_2_8: true rhel9cis_rule_5_2_9: true rhel9cis_rule_5_2_10: true rhel9cis_rule_5_2_12: true rhel9cis_rule_5_2_11: true rhel9cis_rule_5_2_13: true rhel9cis_rule_5_2_14: true rhel9cis_rule_5_2_15: true rhel9cis_rule_5_2_16: true rhel9cis_rule_5_2_17: true rhel9cis_rule_5_2_18: true rhel9cis_rule_5_2_19: true rhel9cis_rule_5_2_20: true rhel9cis_rule_5_3_1: true rhel9cis_rule_5_3_2: true rhel9cis_rule_5_3_3: true rhel9cis_rule_5_3_4: true rhel9cis_rule_5_3_5: true rhel9cis_rule_5_3_6: true rhel9cis_rule_5_3_7: true rhel9cis_rule_5_4_1: true rhel9cis_rule_5_4_2: true rhel9cis_rule_5_5_1: true rhel9cis_rule_5_5_2: true rhel9cis_rule_5_5_3: true rhel9cis_rule_5_5_4: true rhel9cis_rule_5_5_5: true rhel9cis_rule_5_6_1_1: true rhel9cis_rule_5_6_1_2: true rhel9cis_rule_5_6_1_3: true rhel9cis_rule_5_6_1_4: true rhel9cis_rule_5_6_1_5: true rhel9cis_rule_5_6_2: true rhel9cis_rule_5_6_3: true rhel9cis_rule_5_6_4: true rhel9cis_rule_5_6_5: true rhel9cis_rule_5_6_6: true # Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings) rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true rhel9cis_rule_6_1_4: true rhel9cis_rule_6_1_5: true rhel9cis_rule_6_1_6: true rhel9cis_rule_6_1_7: true rhel9cis_rule_6_1_8: true rhel9cis_rule_6_1_9: true rhel9cis_rule_6_1_10: true rhel9cis_rule_6_1_11: true rhel9cis_rule_6_1_12: true rhel9cis_rule_6_1_13: true rhel9cis_rule_6_1_14: true rhel9cis_rule_6_1_15: true rhel9cis_rule_6_2_1: true rhel9cis_rule_6_2_2: true rhel9cis_rule_6_2_3: true rhel9cis_rule_6_2_4: true rhel9cis_rule_6_2_5: true rhel9cis_rule_6_2_6: true rhel9cis_rule_6_2_7: true rhel9cis_rule_6_2_8: true rhel9cis_rule_6_2_9: true rhel9cis_rule_6_2_10: true rhel9cis_rule_6_2_11: true rhel9cis_rule_6_2_12: true rhel9cis_rule_6_2_13: true rhel9cis_rule_6_2_14: true rhel9cis_rule_6_2_15: true rhel9cis_rule_6_2_16: true ## Section 1 vars #### 1.1.2 # These settings go into the /etc/fstab file for the /tmp mount settings # The value must contain nosuid,nodev,noexec to conform to CIS standards # rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" # If set true uses the tmp.mount service else using fstab configuration rhel9cis_tmp_svc: false #### 1.1.9 rhel9cis_allow_autofs: false # 1.2.1 # This is the login information for your RedHat Subscription # DO NOT USE PLAIN TEXT PASSWORDS!!!!! # The intent here is to use a password utility like Ansible Vault here rhel9cis_rh_sub_user: user rhel9cis_rh_sub_password: password # pragma: allowlist secret # 1.2.2 # Do you require rhnsd # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false # Control 1.2.4 - When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM # repo('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks # which check the GPG signatures for all the individual YUM repositories. rhel9cis_rhel_default_repo: true # Control 1.2.4 - When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for # enabling the GPG signatures-check for all the individual YUM repositories. If GPG signatures-check is enabled on repositories which do not # support it(like RedHat), installation of packages will fail. rhel9cis_rule_enable_repogpg: true # Control 1.4.1 - This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value # must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with # this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret rhel9cis_bootloader_password: random # pragma: allowlist secret # Control 1.4.1 - This variable governs whether a bootloader password should be set in /boot/grub2/user.cfg file. rhel9cis_set_boot_pass: true ## Controls 1.8.x - Settings for GDM # This variable specifies the GNOME configuration database file to which configurations are written. # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) # The default database is `local` rhel9cis_dconf_db_name: local # This variable governs the number of seconds of inactivity before the screen goes blank. rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) # This variable governs the number of seconds the screen remains blank before it is locked. rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) # Control 1.10 - This variable contains the value to be set as the system-wide crypto policy. Rule 1.10 enforces # NOT using 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore # possible values for this variable are, as explained by RedHat docs: # -'DEFAULT': reasonable default policy for today's standards(balances usability and security) # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' # Control 1.10 - This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable. rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) # This variable governs whether specific CIS rules # concerned with acceptance and routing of packages are skipped. rhel9cis_is_router: false ## IPv6 requirement toggle # This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true ## Control 1.3.1 - allow aide to be configured # AIDE is a file integrity checking tool, similar in nature to Tripwire. # While it cannot prevent intrusions, it can detect unauthorized changes # to configuration files by alerting when the files are changed. Review # the AIDE quick start guide and AIDE documentation before proceeding. # By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true ## Control 1.3.2 AIDE cron settings # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. # The sub-settings of this variable provide the parameters required to configure # the cron job on the target system. # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled # and executed automatically at a certain point in time. rhel9cis_aide_cron: # This variable represents the user account under which the cron job for AIDE will run. cron_user: root # This variable represents the path to the AIDE crontab file. cron_file: /etc/cron.d/aide_cron # This variable represents the actual command or script that the cron job # will execute for running AIDE. aide_job: '/usr/sbin/aide --check' # These variables define the schedule for the cron job # This variable governs the minute of the time of day when the AIDE cronjob is run. # It must be in the range `0-59`. aide_minute: 0 # This variable governs the hour of the time of day when the AIDE cronjob is run. # It must be in the range `0-23`. aide_hour: 5 # This variable governs the day of the month when the AIDE cronjob is run. # `*` signifies that the job is run on all days; furthermore, specific days # can be given in the range `1-31`; several days can be concatenated with a comma. # The specified day(s) can must be in the range `1-31`. aide_day: '*' # This variable governs months when the AIDE cronjob is run. # `*` signifies that the job is run in every month; furthermore, specific months # can be given in the range `1-12`; several months can be concatenated with commas. # The specified month(s) can must be in the range `1-12`. aide_month: '*' # This variable governs the weekdays, when the AIDE cronjob is run. # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays # can be concatenated with commas. aide_weekday: '*' ## Control 1.6.1.3|4|5 - SELinux policy settings # This selects type of policy; targeted or mls( multilevel ) # mls should not be used, since it will disable unconfined policy module # and may prevent some services from running. Requires SELinux not being disabled(by # having 'rhel9cis_selinux_disable' var set as 'true'), otherwise setting will be ignored. rhel9cis_selinux_pol: targeted ## Control 1.6.1.3|4 - SELinux configured and not disabled # This variable contains a specific SELinux mode, respectively: # - 'enforcing': SELinux policy IS enforced, therefore denies operations based on SELinux policy # rules. If system was installed with SELinux, this is enabled by default. # - 'permissive': SELinux policy IS NOT enforced, therefore does NOT deny any operation, only # logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used # briefly to check if SELinux is the culprit in preventing your application # from working". # CIS expects enforcing since permissive allows operations that might compromise the system. # Even though logging still occurs. rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment ## 2. Services ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 # The following variable represents a list of time servers used # for configuring chrony, timesyncd, and ntp. # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation # of the time synchronization mechanism you are using. rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org #### 2.1.2 - Time Synchronization servers # This variable should contain the default options to be used for every NTP server hostname defined # within the 'rhel9cis_time_synchronization_servers' var. rhel9cis_chrony_server_options: "minpoll 8" rhel9cis_chrony_server_rtcsync: false rhel9cis_chrony_server_makestep: "1.0 3" rhel9cis_chrony_server_minsources: 2 ### 2.2 Special Purposes # Service configuration variables (boolean). # Set the respective variable to true to keep the service. # otherwise the service is stopped and disabled rhel9cis_gui: false rhel9cis_avahi_server: false rhel9cis_cups_server: false rhel9cis_dhcp_server: false rhel9cis_dns_server: false rhel9cis_dnsmasq_server: false rhel9cis_vsftpd_server: false rhel9cis_tftp_server: false rhel9cis_httpd_server: false rhel9cis_nginx_server: false rhel9cis_dovecot_server: false rhel9cis_imap_server: false rhel9cis_samba_server: false rhel9cis_squid_server: false rhel9cis_snmp_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false # Note the options # Client package configuration variables. # Packages are used for client services and Server- only remove if you dont use the client service # Set the respective variable to `true` to keep the # client package, otherwise it is uninstalled (false). rhel9cis_use_nfs_server: false rhel9cis_use_nfs_service: false rhel9cis_use_rpc_server: false rhel9cis_use_rpc_service: false rhel9cis_use_rsync_server: false rhel9cis_use_rsync_service: false #### 2.3 Service clients rhel9cis_telnet_required: false rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false rhel9cis_ftp_client: false ## Section3 vars ## Sysctl rhel9cis_sysctl_update: false rhel9cis_flush_ipv4_route: false rhel9cis_flush_ipv6_route: false ### Firewall Service - either firewalld, iptables, or nftables #### Some control allow for services to be removed or masked #### The options are under each heading #### absent = remove the package #### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public # These settings are added to demonstrate how this update can be done (eventually will require a new control) rhel9cis_firewalld_ports: - number: 80 protocol: tcp ## Controls 3.5.2.x - nftables # The default nftables table name is "filter". This variable name will be the one all # "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. # nftables configs are applied to. # options are: inet filter rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner ## Section4 vars ### 4.1 Configure System Accounting #### 4.1.2 Configure Data Retention ## Controls what actions, when log files fill up # This variable controls how the audit system behaves when # log files are getting too full and space is getting too low. rhel9cis_auditd: space_left_action: email action_mail_acct: root # This variable determines the action the audit system should take when disk # space runs low. # The options for setting this variable are as follows: # - `ignore`: the system does nothing when presented with the aforementioned issue; # - `syslog`: a message is sent to the system log about disk space running low; # - `suspend`: the system suspends recording audit events until more space is available; # - `halt`: the system is halted when disk space is critically low. # - `single`: the audit daemon will put the computer system in single user mode # CIS prescribes either `halt` or `single`. admin_space_left_action: halt # The max_log_file parameter should be based on your sites policy. max_log_file: 10 # This variable determines what action the audit system should take when the maximum # size of a log file is reached. # The options for setting this variable are as follows: # - `ignore`: the system does nothing when the size of a log file is full; # - `syslog`: a message is sent to the system log indicating the problem; # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; # - `rotate`: the log file is rotated (archived) and a new empty log file is created; # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. # CIS prescribes the value `keep_logs`. max_log_file_action: keep_logs # This value governs if the below extra-vars for auditd should be used by the role rhel9cis_auditd_extra_conf_usage: false # This can be used to configure other keys in auditd.conf # Example: # rhel9cis_auditd_extra_conf: # admin_space_left: '10%' rhel9cis_auditd_extra_conf: admin_space_left: 50 space_left: 75 ## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the # system can buffer in memory, if the audit subsystem is unable to process them in real-time. # Buffering in memory is useful in situations, where the audit system is overwhelmed # with incoming audit events, and needs to temporarily store them until they can be processed. # This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. rhel9cis_audit_back_log_limit: 8192 ## Control 4.1.2.1 - Ensure audit log storage size is configured # This variable specifies the maximum size in MB that an audit log file can reach # before it is archived or deleted to make space for the new audit data. # This should be set based on your sites policy. CIS does not provide a specific value. rhel9cis_max_log_file_size: 10 ## 4.1.3.x - Audit template # This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude # specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above # to `false`. update_audit_template: false ## Advanced option found in auditd post # users whose actions are not logged by auditd rhel9cis_allow_auditd_uid_user_exclusions: false # add a list of uids to be excluded. rhel9cis_auditd_uid_exclude: - 1999 ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 rhel9cis_syslog: rsyslog rhel9cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: false rhel9cis_remote_log_host: logagg.example.com rhel9cis_remote_log_port: 514 rhel9cis_remote_log_protocol: tcp rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 # This variable expresses whether the system is used as a log server or not. # If set to `true`, controls that interfere with log server functionality or # require that own system logs be sent to some other log server are skipped. rhel9cis_system_is_log_server: false # 4.2.2.1.2 # rhel9cis_journal_upload_url is the ip address to upload the journal entries to rhel9cis_journal_upload_url: 192.168.50.42 ## The paths below have the default paths/files, but allow user to create custom paths/filenames # This variable specifies the path to the private key file used by the remote journal # server to authenticate itself to the client. This key is used alongside the server's # public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" # This variable specifies the path to the public certificate file of the remote journal # server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" # This variable specifies the path to a file containing one or more public certificates # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" # 4.2.2.1 # The variables below related to journald, please set these to your site specific values # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. # ATTENTION: Uncomment the keyword below when values are set! # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G # rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. # same as rhel9cis_journald_systemmaxuse. rhel9cis_journald_runtimemaxuse: 10M # rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free # same as rhel9cis_journald_systemkeepfree. rhel9cis_journald_runtimekeepfree: 100G # rhel9cis_journald_MaxFileSec is how long in time to keep log files. # This variable specifies, the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. # The given values is interpreted as seconds, unless suffixed with the units # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks # ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month #### 4.3 # This variable defines the log file rotation period. # Options are: daily, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars # This will allow use of drop in files when CIS adopts them. rhel9_cis_sshd_config_file: /etc/ssh/sshd_config rhel9cis_sshd: # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered # inactive and thus, closed. clientalivecountmax: 0 # This variable sets the time interval in seconds between sending "keep-alive" # messages from the server to the client. These types of messages are intended to # keep the connection alive and prevent it being terminated due to inactivity. clientaliveinterval: 900 # This variable specifies the amount of seconds allowed for successful authentication to # the SSH server. logingracetime: 60 # WARNING: make sure you understand the precedence when working with these values!! # allowusers: # allowgroups: systems dba # denyusers: # denygroups: # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH # access for users whose user name matches one of the patterns. This is done # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config allow_users: "" # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, https://linux.die.net/man/5/sshd_config allow_groups: "wheel" # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access # for users whose user name matches one of the patterns. This is done # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config deny_users: "nobody" # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config deny_groups: "" # 5.2.5 SSH LogLevel setting. # This variable is used to control the verbosity of the logging produced by the SSH server. # The options for setting it are as follows: # - `QUIET`: Minimal logging; # - `FATAL`: logs only fatal errors; # - `ERROR`: logs error messages; # - `INFO`: logs informational messages in addition to errors; # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; # - `DEBUG`: generates very detailed debugging information including sensitive information. # - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO # 5.2.19 SSH MaxSessions setting. Must be 4 our less rhel9cis_ssh_maxsessions: 4 ## Control 5.5.1.4 # This variable specifies the number of days of inactivity before an account will be locked. # CIS requires a value of 30 days or less. rhel9cis_inactivelock: lock_days: 30 rhel9cis_use_authconfig: false # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk rhel9cis_authselect: custom_profile_name: custom-profile default_file_to_copy: "sssd --symlink-meta" options: with-sudo with-faillock without-nullok # 5.3.1 Enable automation to create custom profile settings, using the settings above rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false ## Controls 5.5.1.x - Password settings rhel9cis_pass: ## Control 5.5.1.2 # This variable governs after how many days a password expires. # CIS requires a value of 365 or less. max_days: 365 ## Control 5.5.1.1 # This variable specifies the minimum number of days allowed between changing passwords. # CIS requires a value of at least 1. min_days: 7 ## Control 5.5.1.3 # This variable governs, how many days before a password expires, the user will be warned. # CIS requires a value of at least 7. warn_age: 7 # 5.5.1 ## PAM rhel9cis_pam_password: # This variable sets the minimum chars a password needs to be set. minlen: 14 # This variable set password complexity,the minimum number of # character types that must be used (i.e., uppercase, lowercase, digits, other) # Set to 2, passwords cannot have all lower/upper case. # Set to 3, passwords needs numbers. # set to 4, passwords will have to include all four types of characters. minclass: 4 rhel9cis_pam_faillock: # This variable sets the amount of time a user will be unlocked after # the max amount of password failures. unlock_time: 900 # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 # This variable represents the number of password change cycles, after which # a user can re-use a password. # CIS requires a value of 5 or more. remember: 5 # UID settings for interactive users # These are discovered via logins.def if set true discover_int_uid: false # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. min_int_uid: 1000 # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. max_int_uid: 65533 # 5.3.3 var log location variable # This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" #### 5.3.6 # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute # multiple commands with elevated privileges without needing to re-enter their password for each # command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 ### 5.4.2 authselect and faillock ## This option is used at your own risk it will enable faillock for users ## Only to be used on a new clean system if not using authselect ## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ## rhel9cis_add_faillock_without_authselect: false # This needs to be set to ACCEPT rhel9cis_5_4_2_risks: NEVER # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: # This variable specifies the path of the timeout setting file. # (TMOUT setting can be set in multiple files, but only one is required for the # rule to pass. Options are: # - a file in `/etc/profile.d/` ending in `.s`, # - `/etc/profile`, or # - `/etc/bash.bashrc`. file: /etc/profile.d/tmout.sh # This variable represents the amount of seconds a command or process is allowed to # run before being forcefully terminated. # CIS requires a value of at most 900 seconds. timeout: 600 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel9cis_futurepwchgdate_autofix: true # 5.3.7 # This variable determines the group of users that are allowed to use the su command. # one to specify a user group that is allowed to use the "su" command. # CIS requires that such a group be created (named according to site policy) and be kept empty. rhel9cis_sugroup: nosugroup ## Section6 vars # RHEL-09_6.1.1 rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check # RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" # 6.2.16 ## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj rhel_09_6_2_16_home_follow_symlinks: false #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_run_script_environment: AUDIT_BIN: "{{ audit_bin }}" AUDIT_FILE: 'goss.yml' AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"