ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
RHEL9-CIS/templates/ansible_vars_goss.yml.j2
Mark Bolwell 04cb2e0f1d
#54 merged into new layout 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2023-09-06 08:44:23 +01:00

505 lines
20 KiB
Django/Jinja
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
## metadata for benchmark
## metadata for Audit benchmark
benchmark_version: '1.0.0'
# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
# If run via script this is discovered and set
host_os_distribution: {{ ansible_facts.distribution | lower }}
# timeout for each command to run where set - default = 10seconds/10000ms
timeout_ms: 60000
# Taken from LE rhel9-cis
rhel9cis_section1: {{ rhel9cis_section1 }}
rhel9cis_section2: {{ rhel9cis_section2 }}
rhel9cis_section3: {{ rhel9cis_section3 }}
rhel9cis_section4: {{ rhel9cis_section4 }}
rhel9cis_section5: {{ rhel9cis_section5 }}
rhel9cis_section6: {{ rhel9cis_section6 }}
rhel9cis_level_1: {{ rhel9cis_level_1 }}
rhel9cis_level_2: {{ rhel9cis_level_2 }}
rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }}
# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy
run_heavy_tests: true
# True is BIOS based system else set to false
{% if rhel9cis_legacy_boot is defined %}
rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }}
{% endif %}
rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
# You must enable an entire section in order for the variables below to take effect.
# Section 1 rules
# 1.1.1 Disable unused filesystems
rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }}
rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }}
# 1.1.2 Configure /tmp
rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }}
rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }}
rhel9cis_rule_1_1_2_3: {{ rhel9cis_rule_1_1_2_3 }}
rhel9cis_rule_1_1_2_4: {{ rhel9cis_rule_1_1_2_4 }}
# 1.1.3 Configure /var
rhel9cis_rule_1_1_3_1: {{ rhel9cis_rule_1_1_3_1 }}
rhel9cis_rule_1_1_3_2: {{ rhel9cis_rule_1_1_3_2 }}
rhel9cis_rule_1_1_3_3: {{ rhel9cis_rule_1_1_3_3 }}
# 1.1.4 Configure /var/tmp
rhel9cis_rule_1_1_4_1: {{ rhel9cis_rule_1_1_4_1 }}
rhel9cis_rule_1_1_4_2: {{ rhel9cis_rule_1_1_4_2 }}
rhel9cis_rule_1_1_4_3: {{ rhel9cis_rule_1_1_4_3 }}
rhel9cis_rule_1_1_4_4: {{ rhel9cis_rule_1_1_4_4 }}
# 1.1.5 Configure /var/log
rhel9cis_rule_1_1_5_1: {{ rhel9cis_rule_1_1_5_1 }}
rhel9cis_rule_1_1_5_2: {{ rhel9cis_rule_1_1_5_2 }}
rhel9cis_rule_1_1_5_3: {{ rhel9cis_rule_1_1_5_3 }}
rhel9cis_rule_1_1_5_4: {{ rhel9cis_rule_1_1_5_4 }}
# 1.1.6 Configure /var/log/audit
rhel9cis_rule_1_1_6_1: {{ rhel9cis_rule_1_1_6_1 }}
rhel9cis_rule_1_1_6_2: {{ rhel9cis_rule_1_1_6_2 }}
rhel9cis_rule_1_1_6_3: {{ rhel9cis_rule_1_1_6_3 }}
rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }}
# 1.1.7 Configure /home
rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }}
rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }}
rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }}
# 1.1.8 Configure /dev/shm
rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }}
rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }}
rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }}
rhel9cis_rule_1_1_8_4: {{ rhel9cis_rule_1_1_8_4 }}
# 1.9 usb-storage
rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }}
# 1.2 Configure Software Updates
rhel9cis_rule_1_2_1: {{ rhel9cis_rule_1_2_1 }}
rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }}
rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }}
rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }}
# 1.3 Filesystem Integrity Checking
rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }}
rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
# 1.4 Secure Boot Settings
rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
# 1.5 Additional Process Hardening
rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }}
# 1.6 Mandatory Access Control
rhel9cis_rule_1_6_1_1: {{ rhel9cis_rule_1_6_1_1 }}
rhel9cis_rule_1_6_1_2: {{ rhel9cis_rule_1_6_1_2 }}
rhel9cis_rule_1_6_1_3: {{ rhel9cis_rule_1_6_1_3 }}
rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }}
rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }}
rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }}
rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }}
rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }}
# 1.7 Command Line Warning Banners
rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }}
rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }}
rhel9cis_rule_1_7_3: {{ rhel9cis_rule_1_7_3 }}
rhel9cis_rule_1_7_4: {{ rhel9cis_rule_1_7_4 }}
rhel9cis_rule_1_7_5: {{ rhel9cis_rule_1_7_5 }}
rhel9cis_rule_1_7_6: {{ rhel9cis_rule_1_7_6 }}
# 1.8 Gnome Display Manager
rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_1 }}
rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }}
rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }}
rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }}
rhel9cis_rule_1_8_6: {{ rhel9cis_rule_1_8_6 }}
rhel9cis_rule_1_8_7: {{ rhel9cis_rule_1_8_7 }}
rhel9cis_rule_1_8_8: {{ rhel9cis_rule_1_8_8 }}
rhel9cis_rule_1_8_9: {{ rhel9cis_rule_1_8_9 }}
rhel9cis_rule_1_8_10: {{ rhel9cis_rule_1_8_10 }}
# 1.9 Ensure updates, patches, and additional security software are installed
rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
# Ensure system-wide crypto policy is not legacy
rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }}
# section 2
# Services
# 2.1 Time Synchronization
rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }}
rhel9cis_rule_2_1_2: {{ rhel9cis_rule_2_1_2 }}
# 2.2 Special Purpose Services
rhel9cis_rule_2_2_1: {{ rhel9cis_rule_2_2_1 }}
rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }}
rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }}
rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }}
rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }}
rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }}
rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }}
rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }}
rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }}
rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }}
rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }}
rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }}
rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }}
rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }}
rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }}
rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }}
rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }}
rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }}
# 2.3 service clients
rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }}
rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }}
rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }}
rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }}
rhel9cis_rule_2_4: true
# Section 3 rules
# 3.1 Disable unused network protocols and devices
rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
# 3.2 Network Parameters (Host Only)
rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
# 3.3 Network Parameters (Host and Router)
rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }}
rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }}
rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }}
rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }}
rhel9cis_rule_3_3_5: {{ rhel9cis_rule_3_3_5 }}
rhel9cis_rule_3_3_6: {{ rhel9cis_rule_3_3_6 }}
rhel9cis_rule_3_3_7: {{ rhel9cis_rule_3_3_7 }}
rhel9cis_rule_3_3_8: {{ rhel9cis_rule_3_3_8 }}
rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }}
# 3.4.1 Configure firewalld
rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }}
rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }}
# 3.4.1 Configure nftables
rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }}
rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }}
rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }}
rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }}
rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }}
rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }}
rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }}
# Section 4 rules
# 4.1 Configure System Accounting
rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }}
rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }}
rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }}
rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }}
# 4.1.2 Configure Data retention
rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }}
rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }}
rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }}
# 4.1.3 Configure auditd rules
rhel9cis_rule_4_1_3_1: {{ rhel9cis_rule_4_1_3_1 }}
rhel9cis_rule_4_1_3_2: {{ rhel9cis_rule_4_1_3_2 }}
rhel9cis_rule_4_1_3_3: {{ rhel9cis_rule_4_1_3_3 }}
rhel9cis_rule_4_1_3_4: {{ rhel9cis_rule_4_1_3_4 }}
rhel9cis_rule_4_1_3_5: {{ rhel9cis_rule_4_1_3_5 }}
rhel9cis_rule_4_1_3_6: {{ rhel9cis_rule_4_1_3_6 }}
rhel9cis_rule_4_1_3_7: {{ rhel9cis_rule_4_1_3_7 }}
rhel9cis_rule_4_1_3_8: {{ rhel9cis_rule_4_1_3_8 }}
rhel9cis_rule_4_1_3_9: {{ rhel9cis_rule_4_1_3_9 }}
rhel9cis_rule_4_1_3_10: {{ rhel9cis_rule_4_1_3_10 }}
rhel9cis_rule_4_1_3_11: {{ rhel9cis_rule_4_1_3_11 }}
rhel9cis_rule_4_1_3_12: {{ rhel9cis_rule_4_1_3_12 }}
rhel9cis_rule_4_1_3_13: {{ rhel9cis_rule_4_1_3_13 }}
rhel9cis_rule_4_1_3_14: {{ rhel9cis_rule_4_1_3_14 }}
rhel9cis_rule_4_1_3_15: {{ rhel9cis_rule_4_1_3_15 }}
rhel9cis_rule_4_1_3_16: {{ rhel9cis_rule_4_1_3_16 }}
rhel9cis_rule_4_1_3_17: {{ rhel9cis_rule_4_1_3_17 }}
rhel9cis_rule_4_1_3_18: {{ rhel9cis_rule_4_1_3_18 }}
rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }}
rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }}
rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }}
# 4.1.4 Configure auditd file Access
rhel9cis_rule_4_1_4_1: {{ rhel9cis_rule_4_1_4_1 }}
rhel9cis_rule_4_1_4_2: {{ rhel9cis_rule_4_1_4_2 }}
rhel9cis_rule_4_1_4_3: {{ rhel9cis_rule_4_1_4_3 }}
rhel9cis_rule_4_1_4_4: {{ rhel9cis_rule_4_1_4_4 }}
rhel9cis_rule_4_1_4_5: {{ rhel9cis_rule_4_1_4_5 }}
rhel9cis_rule_4_1_4_6: {{ rhel9cis_rule_4_1_4_6 }}
rhel9cis_rule_4_1_4_7: {{ rhel9cis_rule_4_1_4_7 }}
rhel9cis_rule_4_1_4_8: {{ rhel9cis_rule_4_1_4_8 }}
rhel9cis_rule_4_1_4_9: {{ rhel9cis_rule_4_1_4_9 }}
rhel9cis_rule_4_1_4_10: {{ rhel9cis_rule_4_1_4_10 }}
# 4.2.1 Configure rsyslog
rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }}
rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }}
rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_3 }}
rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }}
rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }}
rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }}
rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }}
rhel9cis_rule_4_2_1_7: {{ rhel9cis_rule_4_2_1_7 }}
# 4.2.2 Configure journald
rhel9cis_rule_4_2_2_1_1: {{ rhel9cis_rule_4_2_2_1_1 }}
rhel9cis_rule_4_2_2_1_2: {{ rhel9cis_rule_4_2_2_1_2 }}
rhel9cis_rule_4_2_2_1_3: {{ rhel9cis_rule_4_2_2_1_3 }}
rhel9cis_rule_4_2_2_1_4: {{ rhel9cis_rule_4_2_2_1_4 }}
rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }}
rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }}
rhel9cis_rule_4_2_2_4: {{ rhel9cis_rule_4_2_2_4 }}
rhel9cis_rule_4_2_2_5: {{ rhel9cis_rule_4_2_2_5 }}
rhel9cis_rule_4_2_2_6: {{ rhel9cis_rule_4_2_2_6 }}
rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }}
rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }}
# 4.3 Logrotate
rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }}
# Section 5
# Authentication and Authorization
# 5.1 Configure time-based job schedulers
rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }}
rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }}
rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }}
rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }}
rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }}
rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }}
rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }}
rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }}
rhel9cis_rule_5_1_9: {{ rhel9cis_rule_5_1_9 }}
# 5.2 Configure SSH Server
rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }}
rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }}
rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }}
rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }}
rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }}
rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }}
rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }}
rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }}
rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }}
rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }}
rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }}
rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }}
rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }}
rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }}
rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }}
rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }}
rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }}
rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }}
rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }}
rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }}
# 5.3 Configure privilege escalation
rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }}
rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }}
rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }}
rhel9cis_rule_5_3_4: {{ rhel9cis_rule_5_3_4 }}
rhel9cis_rule_5_3_5: {{ rhel9cis_rule_5_3_5 }}
rhel9cis_rule_5_3_6: {{ rhel9cis_rule_5_3_6 }}
rhel9cis_rule_5_3_7: {{ rhel9cis_rule_5_3_7 }}
# 5.4 Configure authselect
rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }}
rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }}
# 5.5 Configure PAM
rhel9cis_rule_5_5_1: {{ rhel9cis_rule_5_5_1 }}
rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }}
rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }}
rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }}
# 5.6 User Accounts and Environment
# 5.6.1 Set Shadow Password Suite Parameters
rhel9cis_rule_5_6_1_1: {{ rhel9cis_rule_5_6_1_1 }}
rhel9cis_rule_5_6_1_2: {{ rhel9cis_rule_5_6_1_2 }}
rhel9cis_rule_5_6_1_3: {{ rhel9cis_rule_5_6_1_3 }}
rhel9cis_rule_5_6_1_4: {{ rhel9cis_rule_5_6_1_4 }}
rhel9cis_rule_5_6_1_5: {{ rhel9cis_rule_5_6_1_5 }}
rhel9cis_rule_5_6_2: {{ rhel9cis_rule_5_6_2 }}
rhel9cis_rule_5_6_3: {{ rhel9cis_rule_5_6_3 }}
rhel9cis_rule_5_6_4: {{ rhel9cis_rule_5_6_4 }}
rhel9cis_rule_5_6_5: {{ rhel9cis_rule_5_6_5 }}
rhel9cis_rule_5_6_6: {{ rhel9cis_rule_5_6_6 }}
# Section 6
# 6 System Maintenance
# 6.1 System File Permissions
rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }}
rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }}
rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }}
rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }}
rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }}
rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }}
rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }}
rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }}
rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }}
rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }}
rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }}
rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }}
rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }}
rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }}
rhel9cis_rule_6_1_15: {{ rhel9cis_rule_6_1_15 }}
# 6.2 User and Group Settings
rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }}
rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }}
rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }}
rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }}
rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }}
rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }}
rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }}
rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }}
rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }}
rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }}
rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }}
rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }}
rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }}
rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }}
rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }}
rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }}
############
# Section 1
# AIDE
rhel9cis_config_aide: {{ rhel9cis_config_aide }}
# Whether or not to run tasks related to auditing/patching the desktop environment
rhel9cis_gui: {{ rhel9cis_gui }}
# Warning Banner Content (issue, issue.net, motd)
rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
# End Banner
# aide setup via - cron, timer
rhel9_aide_scan: cron
# 1.8 Gnome Desktop
rhel9cis_dconf_db_name: {{ rhel9cis_dconf_db_name }}
rhel9cis_screensaver_idle_delay: {{ rhel9cis_screensaver_idle_delay }} # Set max value for idle-delay in seconds (between 1 and 900)
rhel9cis_screensaver_lock_delay: {{ rhel9cis_screensaver_lock_delay }} # Set max value for lock-delay in seconds (between 0 and 5)
# Section 2
## 2.2 Special Purposes
# Set to 'true' if X Windows is needed in your environment
rhel9cis_xwindows_required: false
### Service configuration booleans set true to keep service
rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
rhel9cis_cups_server: {{ rhel9cis_cups_server }}
rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
rhel9cis_dns_server: {{ rhel9cis_dns_server }}
rhel9cis_dnsmasq_server: {{ rhel9cis_dnsmasq_server }}
rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
rhel9cis_nginx_server: {{ rhel9cis_nginx_server }}
rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }}
rhel9cis_imap_server: {{ rhel9cis_imap_server }}
rhel9cis_samba_server: {{ rhel9cis_samba_server }}
rhel9cis_squid_server: {{ rhel9cis_squid_server }}
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
# Note the options
# Packages are used for client services and Server- only remove if you dont use the client service
#
rhel9cis_use_nfs_server: {{ rhel9cis_use_nfs_server }}
rhel9cis_use_nfs_service: {{ rhel9cis_use_nfs_service }}
rhel9cis_use_rpc_server: {{ rhel9cis_use_rpc_server }}
rhel9cis_use_rpc_service: {{ rhel9cis_use_rpc_service }}
rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }}
rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }}
#### 2.3 Service clients
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}
rhel9cis_ftp_client: {{ rhel9cis_ftp_client }}
# Section 3
## IPv6 required
rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
## 3.2 System network parameters (host only OR host and router)
rhel9cis_is_router: {{ rhel9cis_is_router }}
## Section 3.4
### Firewall
rhel9cis_firewall: {{ rhel9cis_firewall }}
##### firewalld
rhel9cis_default_zone: {{ rhel9cis_default_zone }}
#### nftables
rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }}
rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }}
rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }}
# Section 4
## Set if host is a logserver
rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }}
# Remote logserver settings
rhel9cis_remote_log_host: {{ rhel9cis_remote_log_host }}
rhel9cis_remote_log_port: {{ rhel9cis_remote_log_port }}
rhel9cis_remote_log_protocol: {{ rhel9cis_remote_log_protocol }}
rhel9cis_remote_log_retrycount: {{ rhel9cis_remote_log_retrycount }}
rhel9cis_remote_log_queuesize: {{ rhel9cis_remote_log_queuesize }}
## syslog
rhel9cis_syslog: {{ rhel9cis_syslog }}
# Section 5
# This will allow use of drop in files when CIS adopts them.
rhel9_cis_sshd_config_file: {{ rhel9_cis_sshd_config_file }}
## 5.2.4 Note the following to understand precedence and layout
rhel9cis_sshd_limited: false
rhel9cis_sshd_access:
- AllowUser
- AllowGroup
- DenyUser
- DenyGroup
## 5.3.2 & 5.4.2 Enable automation to select custom profile options, using the settings above
rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }}
## 5.3.2 Authselect select false if using AD or RHEL ID mgmt
rhel9cis_authselect:
custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }}
default_file_to_copy: {{ rhel9cis_authselect['default_file_to_copy'] }}
## 5.4.1 Enable automation to create custom profile settings, using the setings above
rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }}
# 5.5.1
## PAM
rhel9cis_pam_password:
minlen: {{ rhel9cis_pam_password['minlen'] }}
minclass: {{ rhel9cis_pam_password['minclass'] }}
rhel9cis_pam_passwd_retry: "3"
## 5.5.3 choose one of below
rhel9cis_pwhistory_so: "14"
rhel9cis_passwd_remember: "5"
## 5.6.x login.defs password settings
rhel9cis_pass:
max_days: {{ rhel9cis_pass['max_days'] }}
min_days: {{ rhel9cis_pass['min_days'] }}
warn_age: {{ rhel9cis_pass['warn_age'] }}
## 5.3.7 set sugroup if differs from wheel
rhel9cis_sugroup: {{ rhel9cis_sugroup }}
Reference in a new issue View git blame Copy permalink