mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 14:23:05 +00:00
1525 lines
74 KiB
YAML
1525 lines
74 KiB
YAML
---
|
|
# defaults file for rhel9-cis
|
|
# WARNING:
|
|
# These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
|
|
# https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
|
|
|
|
# Run the OS validation check
|
|
# Supported OSs will not need for this to be changed - see README e.g. CentOS
|
|
os_check: true
|
|
|
|
# Disruption is high
|
|
## Run tests that are considered higher risk and could have a system impact if not properly tested
|
|
## Default false
|
|
## Will be fine if clean new un-configured build
|
|
rhel9cis_disruption_high: true
|
|
|
|
## Switching on/off specific baseline sections
|
|
# These variables govern whether the tasks of a particular section are to be executed when running the role.
|
|
# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
|
|
# If you do not want the tasks from that section to get executed you simply set the variable to "false".
|
|
# Some sections support sub-section modularization. The super-section and sub-section must both be true
|
|
# for the sub-section to execute.
|
|
rhel9cis_section1: true
|
|
rhel9cis_section2: true
|
|
rhel9cis_section3: true
|
|
rhel9cis_section4: true
|
|
rhel9cis_section5: true
|
|
rhel9cis_section5_1: true
|
|
rhel9cis_section5_2: true
|
|
rhel9cis_section5_3: true
|
|
rhel9cis_section5_4: true
|
|
rhel9cis_section6: true
|
|
rhel9cis_section7: true
|
|
|
|
# This is used for audit purposes to run only specific level use the tags
|
|
# e.g.
|
|
# - level1-server
|
|
# - level2-workstation
|
|
rhel9cis_level_1: true
|
|
rhel9cis_level_2: true
|
|
|
|
# Create managed not custom local_facts files
|
|
create_benchmark_facts: true
|
|
# The path where the ansible facts file is created if audit facts are not present
|
|
ansible_facts_path: /etc/ansible/facts.d
|
|
|
|
## Section 1.6 - Mandatory Access Control
|
|
# This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting
|
|
# 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed.
|
|
rhel9cis_selinux_disable: false
|
|
# This variable is used in a preliminary task, handling grub2 paths either in case of
|
|
# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg').
|
|
rhel9cis_legacy_boot: false
|
|
|
|
## Benchmark name used by auditing control role
|
|
# The audit variable found at the base
|
|
## metadata for Audit benchmark
|
|
benchmark_version: 'v2.0.0'
|
|
|
|
benchmark: RHEL9-CIS
|
|
|
|
# Whether to skip the system reboot before audit
|
|
# System will reboot if false, can give better audit results
|
|
skip_reboot: true
|
|
|
|
# default value will change to true but wont reboot if not enabled but will error
|
|
change_requires_reboot: false
|
|
|
|
###
|
|
### Settings for associated Audit role using Goss
|
|
###
|
|
|
|
###########################################
|
|
### Goss is required on the remote host ###
|
|
### vars/auditd.yml for other settings ###
|
|
|
|
## Audit setup
|
|
# Audits are carried out using Goss. This variable
|
|
# determines whether execution of the role prepares for auditing
|
|
# by installing the required binary.
|
|
setup_audit: false
|
|
|
|
## Enable audits to run - this runs the audit and get the latest content
|
|
# This variable governs whether the audit using the
|
|
# separately maintained audit role using Goss
|
|
# is carried out.
|
|
# This runs the audit and gets the latest content
|
|
run_audit: false
|
|
# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
|
|
audit_run_heavy_tests: true
|
|
# Ability to limit the number of concurrent processes used by goss (default 50)
|
|
audit_max_concurrent: 50
|
|
|
|
## Only run Audit do not remediate
|
|
audit_only: false
|
|
### As part of audit_only ###
|
|
# Path to copy the files to will create dir structure in audit_only mode
|
|
audit_capture_files_dir: /some/location to copy to on control node
|
|
#############################
|
|
|
|
## How to retrieve audit binary(Goss)
|
|
# Options are 'copy' or 'download' - detailed settings at the bottom of this file
|
|
# - if 'copy':
|
|
# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss
|
|
# - if 'download':
|
|
# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars
|
|
get_audit_binary_method: download
|
|
|
|
## if get_audit_binary_method - copy the following needs to be updated for your environment
|
|
## it is expected that it will be copied from somewhere accessible to the control node
|
|
## e.g copy from ansible control node to remote host
|
|
audit_bin_copy_location: /some/accessible/path
|
|
|
|
## How to retrieve the audit role
|
|
# The role for auditing is maintained separately.
|
|
# This variable specifies the method of how to get the audit role
|
|
# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
|
|
# onto the system. The options are as follows:
|
|
# - 'git': clone audit content from GitHub REPOSITORY, set up via `audit_file_git` var, and
|
|
# VERSION(e.g. branch, tag name), set up via `audit_git_version` var.
|
|
# - 'copy': copy from path as specified in variable `audit_conf_copy`.
|
|
# - 'archive': same as 'copy', only that the specified filepath needs to be unpacked.
|
|
# - 'get_url': Download from url as specified in variable `audit_files_url`
|
|
audit_content: git
|
|
|
|
# If using either archive, copy, get_url:
|
|
## Note will work with .tar files - zip will require extra configuration
|
|
### If using get_url this is expecting github url in tar.gz format e.g.
|
|
### https://github.com/ansible-lockdown/RHEL9-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
|
|
audit_conf_source: "some path or url to copy from"
|
|
|
|
# Destination for the audit content to be placed on managed node
|
|
# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
|
|
audit_conf_dest: "/opt"
|
|
|
|
# Where the audit logs are stored
|
|
audit_log_dir: '/opt'
|
|
|
|
## Ability to collect and take audit files moving to a centralized location
|
|
# This enables the collection of the files from the host
|
|
fetch_audit_output: false
|
|
|
|
# Method of getting,uploading the summary files
|
|
## Ensure access and permissions are available for these to occur.
|
|
## options are
|
|
# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
|
|
# copy - copies file to a location available to the managed node
|
|
audit_output_collection_method: fetch
|
|
|
|
# Location to put the audit files
|
|
audit_output_destination: /opt/audit_summaries/
|
|
|
|
### Goss Settings ##
|
|
####### END ########
|
|
|
|
# These variables correspond with the CIS rule IDs or paragraph numbers defined in
|
|
# the CIS benchmark documents.
|
|
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
|
|
# You must enable an entire section in order for the variables below to take effect.
|
|
|
|
## Section 1 Fixes
|
|
# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings,
|
|
# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager)
|
|
# Filesystem kernel modules
|
|
rhel9cis_rule_1_1_1_1: true
|
|
rhel9cis_rule_1_1_1_2: true
|
|
rhel9cis_rule_1_1_1_3: true
|
|
rhel9cis_rule_1_1_1_4: true
|
|
rhel9cis_rule_1_1_1_5: true
|
|
rhel9cis_rule_1_1_1_6: true
|
|
rhel9cis_rule_1_1_1_7: true
|
|
rhel9cis_rule_1_1_1_8: true
|
|
rhel9cis_rule_1_1_1_9: true
|
|
# Filesystems
|
|
# /tmp
|
|
rhel9cis_rule_1_1_2_1_1: true
|
|
rhel9cis_rule_1_1_2_1_2: true
|
|
rhel9cis_rule_1_1_2_1_3: true
|
|
rhel9cis_rule_1_1_2_1_4: true
|
|
# /dev/shm
|
|
rhel9cis_rule_1_1_2_2_1: true
|
|
rhel9cis_rule_1_1_2_2_2: true
|
|
rhel9cis_rule_1_1_2_2_3: true
|
|
rhel9cis_rule_1_1_2_2_4: true
|
|
# /home
|
|
rhel9cis_rule_1_1_2_3_1: true
|
|
rhel9cis_rule_1_1_2_3_2: true
|
|
rhel9cis_rule_1_1_2_3_3: true
|
|
# /var
|
|
rhel9cis_rule_1_1_2_4_1: true
|
|
rhel9cis_rule_1_1_2_4_2: true
|
|
rhel9cis_rule_1_1_2_4_3: true
|
|
# /var/tmp
|
|
rhel9cis_rule_1_1_2_5_1: true
|
|
rhel9cis_rule_1_1_2_5_2: true
|
|
rhel9cis_rule_1_1_2_5_3: true
|
|
rhel9cis_rule_1_1_2_5_4: true
|
|
# /var/log
|
|
rhel9cis_rule_1_1_2_6_1: true
|
|
rhel9cis_rule_1_1_2_6_2: true
|
|
rhel9cis_rule_1_1_2_6_3: true
|
|
rhel9cis_rule_1_1_2_6_4: true
|
|
# /var/log/audit
|
|
rhel9cis_rule_1_1_2_7_1: true
|
|
rhel9cis_rule_1_1_2_7_2: true
|
|
rhel9cis_rule_1_1_2_7_3: true
|
|
rhel9cis_rule_1_1_2_7_4: true
|
|
# Package Mgmt
|
|
# Config Pkg Repos
|
|
rhel9cis_rule_1_2_1_1: true
|
|
rhel9cis_rule_1_2_1_2: true
|
|
rhel9cis_rule_1_2_1_3: true
|
|
rhel9cis_rule_1_2_1_4: true
|
|
# Package updates
|
|
rhel9cis_rule_1_2_2_1: true
|
|
# Selinux
|
|
rhel9cis_rule_1_3_1_1: true
|
|
rhel9cis_rule_1_3_1_2: true
|
|
rhel9cis_rule_1_3_1_3: true
|
|
rhel9cis_rule_1_3_1_4: true
|
|
rhel9cis_rule_1_3_1_5: true
|
|
rhel9cis_rule_1_3_1_6: true
|
|
rhel9cis_rule_1_3_1_7: true
|
|
rhel9cis_rule_1_3_1_8: true
|
|
# Bootloader
|
|
rhel9cis_rule_1_4_1: true
|
|
rhel9cis_rule_1_4_2: true
|
|
# Additional Process Hardening
|
|
rhel9cis_rule_1_5_1: true
|
|
rhel9cis_rule_1_5_2: true
|
|
rhel9cis_rule_1_5_3: true
|
|
rhel9cis_rule_1_5_4: true
|
|
# Config system wide Crypto
|
|
rhel9cis_rule_1_6_1: true
|
|
rhel9cis_rule_1_6_2: true
|
|
rhel9cis_rule_1_6_3: true
|
|
rhel9cis_rule_1_6_4: true
|
|
rhel9cis_rule_1_6_5: true
|
|
rhel9cis_rule_1_6_6: true
|
|
rhel9cis_rule_1_6_7: true
|
|
# Command line warning banners
|
|
rhel9cis_rule_1_7_1: true
|
|
rhel9cis_rule_1_7_2: true
|
|
rhel9cis_rule_1_7_3: true
|
|
rhel9cis_rule_1_7_4: true
|
|
rhel9cis_rule_1_7_5: true
|
|
rhel9cis_rule_1_7_6: true
|
|
# Gnome Display Manager
|
|
rhel9cis_rule_1_8_1: true
|
|
rhel9cis_rule_1_8_2: true
|
|
rhel9cis_rule_1_8_3: true
|
|
rhel9cis_rule_1_8_4: true
|
|
rhel9cis_rule_1_8_5: true
|
|
rhel9cis_rule_1_8_6: true
|
|
rhel9cis_rule_1_8_7: true
|
|
rhel9cis_rule_1_8_8: true
|
|
rhel9cis_rule_1_8_9: true
|
|
rhel9cis_rule_1_8_10: true
|
|
|
|
## Section 2 Fixes
|
|
# Section 2 rules are controlling Services (Special Purpose Services, and service clients)
|
|
# Configure Server Services
|
|
rhel9cis_rule_2_1_1: true
|
|
rhel9cis_rule_2_1_2: true
|
|
rhel9cis_rule_2_1_3: true
|
|
rhel9cis_rule_2_1_4: true
|
|
rhel9cis_rule_2_1_5: true
|
|
rhel9cis_rule_2_1_6: true
|
|
rhel9cis_rule_2_1_7: true
|
|
rhel9cis_rule_2_1_8: true
|
|
rhel9cis_rule_2_1_9: true
|
|
rhel9cis_rule_2_1_10: true
|
|
rhel9cis_rule_2_1_11: true
|
|
rhel9cis_rule_2_1_12: true
|
|
rhel9cis_rule_2_1_13: true
|
|
rhel9cis_rule_2_1_14: true
|
|
rhel9cis_rule_2_1_15: true
|
|
rhel9cis_rule_2_1_16: true
|
|
rhel9cis_rule_2_1_17: true
|
|
rhel9cis_rule_2_1_18: true
|
|
rhel9cis_rule_2_1_19: true
|
|
rhel9cis_rule_2_1_20: true
|
|
rhel9cis_rule_2_1_21: true
|
|
rhel9cis_rule_2_1_22: true
|
|
# Configure Client Services
|
|
rhel9cis_rule_2_2_1: true
|
|
rhel9cis_rule_2_2_2: true
|
|
rhel9cis_rule_2_2_3: true
|
|
rhel9cis_rule_2_2_4: true
|
|
rhel9cis_rule_2_2_5: true
|
|
# Configure Time Synchronization
|
|
rhel9cis_rule_2_3_1: true
|
|
rhel9cis_rule_2_3_2: true
|
|
rhel9cis_rule_2_3_3: true
|
|
# Job Schedulers
|
|
# cron
|
|
rhel9cis_rule_2_4_1_1: true
|
|
rhel9cis_rule_2_4_1_2: true
|
|
rhel9cis_rule_2_4_1_3: true
|
|
rhel9cis_rule_2_4_1_4: true
|
|
rhel9cis_rule_2_4_1_5: true
|
|
rhel9cis_rule_2_4_1_6: true
|
|
rhel9cis_rule_2_4_1_7: true
|
|
rhel9cis_rule_2_4_1_8: true
|
|
# at
|
|
rhel9cis_rule_2_4_2_1: true
|
|
|
|
## Section 3 Fixes
|
|
# Section 3 rules are used for securely configuring the network configuration(kernel params, ACL, Firewall settings)
|
|
# Network Devices
|
|
rhel9cis_rule_3_1_1: true
|
|
rhel9cis_rule_3_1_2: true
|
|
rhel9cis_rule_3_1_3: true
|
|
# Network Kernel Modules
|
|
rhel9cis_rule_3_2_1: true
|
|
rhel9cis_rule_3_2_2: true
|
|
rhel9cis_rule_3_2_3: true
|
|
rhel9cis_rule_3_2_4: true
|
|
# Network Kernel Parameters
|
|
rhel9cis_rule_3_3_1: true
|
|
rhel9cis_rule_3_3_2: true
|
|
rhel9cis_rule_3_3_3: true
|
|
rhel9cis_rule_3_3_4: true
|
|
rhel9cis_rule_3_3_5: true
|
|
rhel9cis_rule_3_3_6: true
|
|
rhel9cis_rule_3_3_7: true
|
|
rhel9cis_rule_3_3_8: true
|
|
rhel9cis_rule_3_3_9: true
|
|
rhel9cis_rule_3_3_10: true
|
|
rhel9cis_rule_3_3_11: true
|
|
|
|
## Section 4 Fixes
|
|
# Section 4 rules are Logging and Auditing (Configure System Accounting (auditd),
|
|
# Configure Data Retention, and Configure Logging)
|
|
# Firewall utility
|
|
rhel9cis_rule_4_1_1: true
|
|
rhel9cis_rule_4_1_2: true
|
|
# Configure firewalld
|
|
rhel9cis_rule_4_2_1: true
|
|
rhel9cis_rule_4_2_2: true
|
|
# Configure nftables
|
|
rhel9cis_rule_4_3_1: true
|
|
rhel9cis_rule_4_3_2: true
|
|
rhel9cis_rule_4_3_3: true
|
|
rhel9cis_rule_4_3_4: true
|
|
|
|
## Section 5 Fixes
|
|
# Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers,
|
|
# Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment)
|
|
# Configure SSH Server
|
|
rhel9cis_rule_5_1_1: true
|
|
rhel9cis_rule_5_1_2: true
|
|
rhel9cis_rule_5_1_3: true
|
|
rhel9cis_rule_5_1_4: true
|
|
rhel9cis_rule_5_1_5: true
|
|
rhel9cis_rule_5_1_6: true
|
|
rhel9cis_rule_5_1_7: true
|
|
rhel9cis_rule_5_1_8: true
|
|
rhel9cis_rule_5_1_9: true
|
|
rhel9cis_rule_5_1_10: true
|
|
rhel9cis_rule_5_1_11: true
|
|
rhel9cis_rule_5_1_12: true
|
|
rhel9cis_rule_5_1_13: true
|
|
rhel9cis_rule_5_1_14: true
|
|
rhel9cis_rule_5_1_15: true
|
|
rhel9cis_rule_5_1_16: true
|
|
rhel9cis_rule_5_1_17: true
|
|
rhel9cis_rule_5_1_18: true
|
|
rhel9cis_rule_5_1_19: true
|
|
rhel9cis_rule_5_1_20: true
|
|
rhel9cis_rule_5_1_21: true
|
|
rhel9cis_rule_5_1_22: true
|
|
# 5.2 Configure Privilege Escalation
|
|
rhel9cis_rule_5_2_1: true
|
|
rhel9cis_rule_5_2_2: true
|
|
rhel9cis_rule_5_2_3: true
|
|
rhel9cis_rule_5_2_4: true
|
|
rhel9cis_rule_5_2_5: true
|
|
rhel9cis_rule_5_2_6: true
|
|
rhel9cis_rule_5_2_7: true
|
|
# 5.3.1.x Configure PAM software packages
|
|
rhel9cis_rule_5_3_1_1: true
|
|
rhel9cis_rule_5_3_1_2: true
|
|
rhel9cis_rule_5_3_1_3: true
|
|
# 5.3.2 Configure authselect
|
|
rhel9cis_rule_5_3_2_1: true
|
|
rhel9cis_rule_5_3_2_2: true
|
|
rhel9cis_rule_5_3_2_3: true
|
|
rhel9cis_rule_5_3_2_4: true
|
|
rhel9cis_rule_5_3_2_5: true
|
|
# 5.3.3.1 Configure pam_faillock module
|
|
rhel9cis_rule_5_3_3_1_1: true
|
|
rhel9cis_rule_5_3_3_1_2: true
|
|
rhel9cis_rule_5_3_3_1_3: true
|
|
# 5.3.3.2 Configure pam_pwquality module
|
|
rhel9cis_rule_5_3_3_2_1: true
|
|
rhel9cis_rule_5_3_3_2_2: true
|
|
rhel9cis_rule_5_3_3_2_3: true
|
|
rhel9cis_rule_5_3_3_2_4: true
|
|
rhel9cis_rule_5_3_3_2_5: true
|
|
rhel9cis_rule_5_3_3_2_6: true
|
|
rhel9cis_rule_5_3_3_2_7: true
|
|
rhel9cis_rule_5_3_3_2_8: true
|
|
# 5.3.3.3 Configure pam_pwhistory module
|
|
# These are added as part of 5.3.2.4 using jinja2 template
|
|
rhel9cis_rule_5_3_3_3_1: true
|
|
rhel9cis_rule_5_3_3_3_2: true
|
|
rhel9cis_rule_5_3_3_3_3: true
|
|
# 5.3.3.4 Configure pam_unix module
|
|
rhel9cis_rule_5_3_3_4_1: true
|
|
rhel9cis_rule_5_3_3_4_2: true
|
|
rhel9cis_rule_5_3_3_4_3: true
|
|
rhel9cis_rule_5_3_3_4_4: true
|
|
# 5.4 User Accounts and Environment
|
|
# 5.4.1 Configure shadow password suite parameters
|
|
rhel9cis_rule_5_4_1_1: true
|
|
rhel9cis_rule_5_4_1_2: true
|
|
rhel9cis_rule_5_4_1_3: true
|
|
rhel9cis_rule_5_4_1_4: true
|
|
rhel9cis_rule_5_4_1_5: true
|
|
rhel9cis_rule_5_4_1_6: true
|
|
# 5.4.2 Configure root and system accounts and environment
|
|
rhel9cis_rule_5_4_2_1: true
|
|
rhel9cis_rule_5_4_2_2: true
|
|
rhel9cis_rule_5_4_2_3: true
|
|
rhel9cis_rule_5_4_2_4: true
|
|
rhel9cis_rule_5_4_2_5: true
|
|
rhel9cis_rule_5_4_2_6: true
|
|
rhel9cis_rule_5_4_2_7: true
|
|
rhel9cis_rule_5_4_2_8: true
|
|
# 5.4.2 Configure user default environment
|
|
rhel9cis_rule_5_4_3_1: true
|
|
rhel9cis_rule_5_4_3_2: true
|
|
rhel9cis_rule_5_4_3_3: true
|
|
|
|
## Section 6 Fixes
|
|
# Section 6 rules control Logging and Auditing
|
|
# Configure Integrity Checking
|
|
rhel9cis_rule_6_1_1: true
|
|
rhel9cis_rule_6_1_2: true
|
|
rhel9cis_rule_6_1_3: true
|
|
# 6.2.1 Configure systemd-journald service
|
|
rhel9cis_rule_6_2_1_1: true
|
|
rhel9cis_rule_6_2_1_2: true
|
|
rhel9cis_rule_6_2_1_3: true
|
|
rhel9cis_rule_6_2_1_4: true
|
|
# 6.2.2.x Configure journald
|
|
rhel9cis_rule_6_2_2_1_1: true
|
|
rhel9cis_rule_6_2_2_1_2: true
|
|
rhel9cis_rule_6_2_2_1_3: true
|
|
rhel9cis_rule_6_2_2_1_4: true
|
|
rhel9cis_rule_6_2_2_2: true
|
|
rhel9cis_rule_6_2_2_3: true
|
|
rhel9cis_rule_6_2_2_4: true
|
|
# 6.2.3 Configure rsyslog
|
|
rhel9cis_rule_6_2_3_1: true
|
|
rhel9cis_rule_6_2_3_2: true
|
|
rhel9cis_rule_6_2_3_3: true
|
|
rhel9cis_rule_6_2_3_4: true
|
|
rhel9cis_rule_6_2_3_5: true
|
|
rhel9cis_rule_6_2_3_6: true
|
|
rhel9cis_rule_6_2_3_7: true
|
|
rhel9cis_rule_6_2_3_8: true
|
|
# 6.2.4 Configure Logfiles
|
|
rhel9cis_rule_6_2_4_1: true
|
|
# 6.3 Configure Auditing
|
|
# 6.3.1 Configure auditd Service
|
|
rhel9cis_rule_6_3_1_1: true
|
|
rhel9cis_rule_6_3_1_2: true
|
|
rhel9cis_rule_6_3_1_3: true
|
|
rhel9cis_rule_6_3_1_4: true
|
|
# 6.3.2 Configure Data Retention
|
|
rhel9cis_rule_6_3_2_1: true
|
|
rhel9cis_rule_6_3_2_2: true
|
|
rhel9cis_rule_6_3_2_3: true
|
|
rhel9cis_rule_6_3_2_4: true
|
|
# 6.3.3 Configure auditd Rules
|
|
rhel9cis_rule_6_3_3_1: true
|
|
rhel9cis_rule_6_3_3_2: true
|
|
rhel9cis_rule_6_3_3_3: true
|
|
rhel9cis_rule_6_3_3_4: true
|
|
rhel9cis_rule_6_3_3_5: true
|
|
rhel9cis_rule_6_3_3_6: true
|
|
rhel9cis_rule_6_3_3_7: true
|
|
rhel9cis_rule_6_3_3_8: true
|
|
rhel9cis_rule_6_3_3_9: true
|
|
rhel9cis_rule_6_3_3_10: true
|
|
rhel9cis_rule_6_3_3_11: true
|
|
rhel9cis_rule_6_3_3_12: true
|
|
rhel9cis_rule_6_3_3_13: true
|
|
rhel9cis_rule_6_3_3_14: true
|
|
rhel9cis_rule_6_3_3_15: true
|
|
rhel9cis_rule_6_3_3_16: true
|
|
rhel9cis_rule_6_3_3_17: true
|
|
rhel9cis_rule_6_3_3_18: true
|
|
rhel9cis_rule_6_3_3_19: true
|
|
rhel9cis_rule_6_3_3_20: true
|
|
rhel9cis_rule_6_3_3_21: true
|
|
# 6.3.4 Configure auditd File Access
|
|
rhel9cis_rule_6_3_4_1: true
|
|
rhel9cis_rule_6_3_4_2: true
|
|
rhel9cis_rule_6_3_4_3: true
|
|
rhel9cis_rule_6_3_4_4: true
|
|
rhel9cis_rule_6_3_4_5: true
|
|
rhel9cis_rule_6_3_4_6: true
|
|
rhel9cis_rule_6_3_4_7: true
|
|
rhel9cis_rule_6_3_4_8: true
|
|
rhel9cis_rule_6_3_4_9: true
|
|
rhel9cis_rule_6_3_4_10: true
|
|
|
|
## Section 7 Fixes
|
|
# Section 7 rules control System Maintenance
|
|
# System File Permissions
|
|
rhel9cis_rule_7_1_1: true
|
|
rhel9cis_rule_7_1_2: true
|
|
rhel9cis_rule_7_1_3: true
|
|
rhel9cis_rule_7_1_4: true
|
|
rhel9cis_rule_7_1_5: true
|
|
rhel9cis_rule_7_1_6: true
|
|
rhel9cis_rule_7_1_7: true
|
|
rhel9cis_rule_7_1_8: true
|
|
rhel9cis_rule_7_1_9: true
|
|
rhel9cis_rule_7_1_10: true
|
|
rhel9cis_rule_7_1_11: true
|
|
rhel9cis_rule_7_1_12: true
|
|
rhel9cis_rule_7_1_13: true
|
|
# 7.2 Local User and Group Settings
|
|
rhel9cis_rule_7_2_1: true
|
|
rhel9cis_rule_7_2_2: true
|
|
rhel9cis_rule_7_2_3: true
|
|
rhel9cis_rule_7_2_4: true
|
|
rhel9cis_rule_7_2_5: true
|
|
rhel9cis_rule_7_2_6: true
|
|
rhel9cis_rule_7_2_7: true
|
|
rhel9cis_rule_7_2_8: true
|
|
rhel9cis_rule_7_2_9: true
|
|
|
|
## Section 1 vars
|
|
|
|
## Ability to enable debug on mounts to assist in troubleshooting
|
|
# Mount point changes are set based upon facts created in Prelim
|
|
# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
|
|
rhel9cis_debug_mount_data: false
|
|
|
|
## Control 1.1.2
|
|
# If set to `true`, rule will be implemented using the `tmp.mount` systemd-service,
|
|
# otherwise fstab configuration will be used.
|
|
# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards.
|
|
rhel9cis_tmp_svc: false
|
|
|
|
## Control 1.2.1
|
|
# For new systems that have not yet run update the gpg key is not yet imported
|
|
# Setting to `true` will allow a test on the package and force the import of the key
|
|
rhel9cis_force_gpg_key_import: true
|
|
|
|
## Control 1.2.1.3
|
|
# When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM
|
|
# repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks
|
|
# which check the GPG signatures for all the individual YUM repositories.
|
|
rhel9cis_rhel_default_repo: true
|
|
## Control 1.2.1.3
|
|
# When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for
|
|
# enabling the GPG signatures-check for all the individual YUM repositories. If GPG signatures-check is enabled on repositories which do not
|
|
# support it(like RedHat), installation of packages will fail.
|
|
rhel9cis_rule_enable_repogpg: true
|
|
|
|
## Control 1.3.1.3|4|5 - SELinux policy settings
|
|
# This selects type of policy; targeted or mls( multilevel )
|
|
# mls should not be used, since it will disable unconfined policy module
|
|
# and may prevent some services from running. Requires SELinux not being disabled (by
|
|
# having 'rhel9cis_selinux_disable' var set as 'true'), otherwise setting will be ignored.
|
|
rhel9cis_selinux_pol: targeted
|
|
## Control 1.3.1.3|4|5 - SELinux policy settings
|
|
# This variable contains a specific SELinux mode, respectively:
|
|
# - 'enforcing': SELinux policy IS enforced, therefore denies operations based on SELinux policy
|
|
# rules. If system was installed with SELinux, this is enabled by default.
|
|
# - 'permissive': SELinux policy IS NOT enforced, therefore does NOT deny any operation, only
|
|
# logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used
|
|
# briefly to check if SELinux is the culprit in preventing your application
|
|
# from working".
|
|
# CIS expects enforcing since permissive allows operations that might compromise the system.
|
|
# Even though logging still occurs.
|
|
rhel9cis_selinux_enforce: enforcing
|
|
|
|
## Control 1.4.1
|
|
# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value
|
|
# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
|
|
# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
|
|
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
|
|
|
|
## Control 1.4.1
|
|
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
|
|
rhel9cis_set_boot_pass: true
|
|
|
|
## Controls 1.6.x and Controls 5.1.x
|
|
# This variable governs if current Ansible role should manage system-wide crypto policy.
|
|
rhel9cis_crypto_policy_ansiblemanaged: true
|
|
# This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING
|
|
# 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore
|
|
# possible values for this variable are, as explained by RedHat docs:
|
|
# -'DEFAULT': reasonable default policy for today's standards (balances usability and security)
|
|
# -'FUTURE': conservative security level that is believed to withstand any near-term future attacks
|
|
# -'FIPS': A level that conforms to the FIPS140-2 requirements
|
|
rhel9cis_crypto_policy: 'DEFAULT'
|
|
# This variable contains the value of the crypto policy module(combinations of policies and
|
|
# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
|
|
# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are:
|
|
# - 'OSPP'
|
|
# - 'AD-SUPPORT'
|
|
# - 'AD-SUPPORT-LEGACY'
|
|
rhel9cis_crypto_policy_module: ''
|
|
## Controls 1.6.x
|
|
# This variable contains the value of the crypto policy module(combinations of policies and
|
|
# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
|
|
# using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable.
|
|
rhel9cis_additional_crypto_policy_module: ''
|
|
|
|
## Controls:
|
|
# - 1.7.1 - Ensure message of the day is configured properly
|
|
# - 1.7.2 - Ensure local login warning banner is configured properly
|
|
# - 1.7.3 - Ensure remote login warning banner is configured properly
|
|
# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd).
|
|
rhel9cis_warning_banner: Authorized users only. All activity may be monitored and reported.
|
|
# End Banner
|
|
|
|
## Control 1.8.x - Settings for GDM
|
|
# do not run Control 1.8.x if using a display manager different than gdm
|
|
rhel9cis_display_manager: "gdm"
|
|
# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should
|
|
# be executed either to:
|
|
# - secure GDM, if GUI is needed('rhel9cis_gui: true')
|
|
# - or remove GDM and X-Windows-system, if no GUI is needed('rhel9cis_gui: false')
|
|
# The value of this variable is set automatically, if gnome is present this variable
|
|
# will always have `true` as a value, and `false` otherwise.
|
|
rhel9cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}"
|
|
# This variable specifies the GNOME configuration database file to which configurations are written.
|
|
# (See "https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en")
|
|
# The default database is 'local'.
|
|
rhel9cis_dconf_db_name: local
|
|
# This variable governs the number of seconds of inactivity before the screen goes blank.
|
|
# Set max value for idle-delay in seconds (between 1 and 900)
|
|
rhel9cis_screensaver_idle_delay: 900
|
|
# This variable governs the number of seconds the screen remains blank before it is locked.
|
|
# Set max value for lock-delay in seconds (between 0 and 5)
|
|
rhel9cis_screensaver_lock_delay: 5
|
|
|
|
## Section 2. Services
|
|
|
|
## Section 2.1 Time Synchronization
|
|
|
|
## Control 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
|
|
# The following variable represents a list of time servers used
|
|
# for configuring chrony, timesyncd, and ntp.
|
|
# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`.
|
|
# The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation
|
|
# of the time synchronization mechanism you are using.
|
|
rhel9cis_time_synchronization_servers:
|
|
- 0.pool.ntp.org
|
|
- 1.pool.ntp.org
|
|
- 2.pool.ntp.org
|
|
- 3.pool.ntp.org
|
|
## Control 2.1.2 - Time Synchronization servers
|
|
# This variable should contain the default options to be used for every NTP server hostname defined
|
|
# within the 'rhel9cis_time_synchronization_servers' var.
|
|
rhel9cis_chrony_server_options: "minpoll 8"
|
|
# This variable, if set to 'true'(default), will inform the kernel the system clock is kept synchronized
|
|
# and the kernel will update the real-time clock every 11 minutes. Otherwise, if 'rtcsync' option is
|
|
# disabled, chronyd will not be in sync(kernel discipline is disabled, 11 minutes mode will be off).
|
|
rhel9cis_chrony_server_rtcsync: false
|
|
# This variable configures the values to be used by chronyd to gradually correct any time offset,
|
|
# by slowing down/speeding up the clock. An example of this directive usage would be:
|
|
# 'makestep 1000 10'.
|
|
# Step the system clock:
|
|
# - IF the adjustment is larger than 1000 seconds
|
|
# - but ONLY IN the first ten clock updates
|
|
rhel9cis_chrony_server_makestep: "1.0 3"
|
|
# This variable configures the minimum number of sources that need to be considered as selectable in the source
|
|
# selection algorithm before the local clock is updated. Setting minsources to a larger number can be used to
|
|
# improve the reliability, because multiple sources will need to correspond with each other.
|
|
rhel9cis_chrony_server_minsources: 2
|
|
|
|
###
|
|
### The set of rules that make up section 2.1, are used for ensuring that
|
|
### certain services are not installed on the OS.
|
|
### The following list of variables contain two types: the ones that end in '_services', and the ones that end in '_mask'
|
|
### in '_mask'. For completely removing a service both those variables referencing that service shall be set to 'false'.
|
|
### For masking a service the type that ends in '_mask' shall be set to 'true'.
|
|
### Set this variable to `true` to keep service `autofs`; otherwise, the service is uninstalled.
|
|
###
|
|
|
|
###########################################
|
|
|
|
## Controls 2.1.x - Configure Server Services
|
|
# Set this variable to `true` to keep service `autofs`; otherwise, the service is uninstalled.
|
|
rhel9cis_autofs_services: false
|
|
# Set this variable to `true` to mask service `autofs`.
|
|
rhel9cis_autofs_mask: false
|
|
# Set this variable to `true` to keep service `avahi`; otherwise, the service is uninstalled.
|
|
rhel9cis_avahi_server: false
|
|
# Set this variable to `true` to mask service `avahi`.
|
|
rhel9cis_avahi_mask: false
|
|
# Set this variable to `true` to keep service `dhcp`; otherwise, the service is uninstalled.
|
|
rhel9cis_dhcp_server: false
|
|
# Set this variable to `true` to mask service `dhcp`.
|
|
rhel9cis_dhcp_mask: false
|
|
# Set this variable to `true` to keep service `dns`; otherwise, the service is uninstalled.
|
|
rhel9cis_dns_server: false
|
|
# Set this variable to `true` to mask service `dns`.
|
|
rhel9cis_dns_mask: false
|
|
# Set this variable to `true` to keep service `dnsmasq`; otherwise, the service is uninstalled.
|
|
rhel9cis_dnsmasq_server: false
|
|
# Set this variable to `true` to mask service `dnsmasq`.
|
|
rhel9cis_dnsmasq_mask: false
|
|
# Set this variable to `true` to keep service `samba`; otherwise, the service is uninstalled.
|
|
rhel9cis_samba_server: false
|
|
# Set this variable to `true` to mask service `samba`.
|
|
rhel9cis_samba_mask: false
|
|
# Set this variable to `true` to keep service `ftp`; otherwise, the service is uninstalled.
|
|
rhel9cis_ftp_server: false
|
|
# Set this variable to `true` to mask service `ftp`.
|
|
rhel9cis_ftp_mask: false
|
|
# Set this variable to `true` to keep service `message`; otherwise, the service is uninstalled.
|
|
rhel9cis_message_server: false # This is for messaging dovecot and cyrus-imap
|
|
# Set this variable to `true` to mask service `message`.
|
|
rhel9cis_message_mask: false
|
|
# Set this variable to `true` to keep service `nfs`; otherwise, the service is uninstalled.
|
|
rhel9cis_nfs_server: true
|
|
# Set this variable to `true` to mask service `nfs`.
|
|
rhel9cis_nfs_mask: true
|
|
# Set this variable to `true` to keep service `nis`; otherwise, the service is uninstalled.
|
|
rhel9cis_nis_server: true # set to mask if nis client required
|
|
# Set this variable to `true` to mask service `nis`.
|
|
rhel9cis_nis_mask: false
|
|
# Set this variable to `true` to keep service `print`; otherwise, the service is uninstalled.
|
|
rhel9cis_print_server: false # replaces cups
|
|
# Set this variable to `true` to mask service `print`.
|
|
rhel9cis_print_mask: false
|
|
# Set this variable to `true` to keep service `rpc`; otherwise, the service is uninstalled.
|
|
rhel9cis_rpc_server: true
|
|
# Set this variable to `true` to mask service `rpc`.
|
|
rhel9cis_rpc_mask: true
|
|
# Set this variable to `true` to keep service `rsync`; otherwise, the service is uninstalled.
|
|
rhel9cis_rsync_server: false
|
|
# Set this variable to `true` to mask service `rsync`.
|
|
rhel9cis_rsync_mask: false
|
|
# Set this variable to `true` to keep service `snmp`; otherwise, the service is uninstalled.
|
|
rhel9cis_snmp_server: false
|
|
# Set this variable to `true` to mask service `snmp`.
|
|
rhel9cis_snmp_mask: false
|
|
# Set this variable to `true` to keep service `telnet`; otherwise, the service is uninstalled.
|
|
rhel9cis_telnet_server: false
|
|
# Set this variable to `true` to mask service `telnet`.
|
|
rhel9cis_telnet_mask: false
|
|
# Set this variable to `true` to keep service `tftp`; otherwise, the service is uninstalled.
|
|
rhel9cis_tftp_server: false
|
|
# Set this variable to `true` to mask service `tftp`.
|
|
rhel9cis_tftp_mask: false
|
|
# Set this variable to `true` to keep service `squid`; otherwise, the service is uninstalled.
|
|
rhel9cis_squid_server: false
|
|
# Set this variable to `true` to mask service `squid`.
|
|
rhel9cis_squid_mask: false
|
|
# Set this variable to `true` to keep service `httpd`; otherwise, the service is uninstalled.
|
|
rhel9cis_httpd_server: false
|
|
# Set this variable to `true` to mask service `httpd`.
|
|
rhel9cis_httpd_mask: false
|
|
# Set this variable to `true` to keep service `nginx`; otherwise, the service is uninstalled.
|
|
rhel9cis_nginx_server: false
|
|
# Set this variable to `true` to mask service `nginx`.
|
|
rhel9cis_nginx_mask: false
|
|
# Set this variable to `true` to keep service `xinetd`; otherwise, the service is uninstalled.
|
|
rhel9cis_xinetd_server: false
|
|
# Set this variable to `true` to mask service `xinetd`.
|
|
rhel9cis_xinetd_mask: false
|
|
# Set this variable to `true` to keep service `xwindow`; otherwise, the service is uninstalled.
|
|
rhel9cis_xwindow_server: false # will remove mask not an option
|
|
|
|
## Control 2.1.21 - Ensure mail transfer agent is configured for local-only mode
|
|
# This variable if set to 'false', ensures that the mail transfer agent is configured for
|
|
# local-only mode.
|
|
rhel9cis_is_mail_server: false
|
|
|
|
## Section 2.2 Service clients
|
|
|
|
## Control - 2.2.1 - Ensure FTP client is not installed
|
|
# Set this variable to `true` to keep package `ftp`; otherwise, the package is uninstalled.
|
|
rhel9cis_ftp_client: false
|
|
## Control - 2.2.2 - Ensure LDAP client is not installed
|
|
# Set this variable to `true` to keep package `openldap-clients`; otherwise, the package is uninstalled.
|
|
rhel9cis_openldap_clients_required: false
|
|
## Control - 2.2.3 - Ensure nis client is not installed
|
|
# Set this variable to `true` to keep package `nis`(`ypbind`); otherwise, the package is uninstalled.
|
|
rhel9cis_ypbind_required: false
|
|
## Control - 2.2.4 - Ensure telnet client is not installed
|
|
# Set this variable to `true` to keep package `telnet`; otherwise, the package is uninstalled.
|
|
rhel9cis_telnet_required: false
|
|
## Control - 2.2.5 - Ensure tftp client is not installed
|
|
# Set this variable to `true` to keep package `tftp`; otherwise, the package is uninstalled.
|
|
rhel9cis_tftp_client: false
|
|
|
|
## Section 3 vars
|
|
|
|
## Control 3.1.1 - Ensure IPv6 status is identified
|
|
# This variable governs whether ipv6 is enabled or disabled.
|
|
rhel9cis_ipv6_required: true
|
|
# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
|
|
rhel9cis_ipv6_disable: "sysctl"
|
|
|
|
## Control 3.1.2 - Ensure wireless interfaces are disabled
|
|
# if wireless adapter found allow network manager to be installed
|
|
rhel9cis_install_network_manager: false
|
|
# This variable holds the name of the network manager package, and it is used
|
|
# as a conditional to implement control 3.1.2. If the network manager package
|
|
# is present on the system then the control will be implemented!
|
|
rhel9cis_network_manager_package_name: NetworkManager
|
|
|
|
## Control 3.1.3 - Ensure bluetooth services are not in use
|
|
# Set this variable to `true` to keep service `bluetooth`; otherwise, the service is uninstalled.
|
|
rhel9cis_bluetooth_service: false
|
|
# Set this variable to `true` to mask service `bluetooth`.
|
|
rhel9cis_bluetooth_mask: false
|
|
|
|
## Controls 3.3.x System network parameters (host only OR host and router)
|
|
# This variable governs whether specific CIS rules
|
|
# concerned with acceptance and routing of packages are skipped.
|
|
rhel9cis_is_router: false
|
|
|
|
# This variable governs if the task which updates sysctl(including sysctl reload) is executed.
|
|
# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact').
|
|
rhel9cis_sysctl_update: false
|
|
# This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to
|
|
# use the new configuration).
|
|
# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact').
|
|
rhel9cis_flush_ipv4_route: false
|
|
# This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to
|
|
# use the new configuration).
|
|
# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact').
|
|
rhel9cis_flush_ipv6_route: false
|
|
|
|
## Section 4 vars
|
|
|
|
### Firewall Service to install and configure - Options are:
|
|
# 1) either 'firewalld'
|
|
# 2) or 'nftables'
|
|
#### Some control allow for services to be removed or masked
|
|
#### The options are under each heading:
|
|
#### absent = remove the package
|
|
#### masked = leave package if installed and mask the service
|
|
rhel9cis_firewall: firewalld
|
|
|
|
## Control 4.2.2 - Ensure firewalld loopback traffic is configured
|
|
# This variable will set the firewalld default zone(that is used for everything that is not explicitly bound/assigned
|
|
# to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used.
|
|
rhel9cis_default_zone: public
|
|
|
|
## Controls 4.3.x
|
|
# This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables
|
|
# will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered!
|
|
rhel9cis_nft_tables_autonewtable: true
|
|
# This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback
|
|
# traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will
|
|
# be created using as name the value stored by this variable.
|
|
rhel9cis_nft_tables_tablename: filter
|
|
|
|
## Control 4.3.1 - Ensure nftables base chains exist
|
|
# This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically
|
|
# created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those
|
|
# chains will not be touched by nftables.
|
|
rhel9cis_nft_tables_autochaincreate: true
|
|
|
|
## Section 5 vars
|
|
|
|
## Section 5.1 - SSH
|
|
|
|
# This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of
|
|
# drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them.
|
|
# Otherwise, the default value is '/etc/ssh/ssh_config'.
|
|
rhel9cis_sshd_config_file: /etc/ssh/sshd_config
|
|
|
|
## Control 5.1.7 - Ensure sshd access is configured
|
|
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
|
|
# access for users whose user name matches one of the patterns. This is done
|
|
# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
|
|
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
|
|
rhel9cis_sshd_allowusers: "{% if ansible_facts.user_id != 'root' %}{{ ansible_facts.user_id }}{% elif ansible_env.SUDO_USER is defined %}{{ ansible_env.SUDO_USER }}{% endif %}"
|
|
## Control 5.1.7 - Ensure sshd access is configured
|
|
# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
|
|
# for users whose primary group or supplementary group list matches one of the patterns. This is done
|
|
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
|
|
rhel9cis_sshd_allowgroups: ""
|
|
## Control 5.1.7 - Ensure sshd access is configured
|
|
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
|
|
# for users whose user name matches one of the patterns. This is done
|
|
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
|
|
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
|
|
rhel9cis_sshd_denyusers: "nobody"
|
|
## Control 5.1.7 - Ensure sshd access is configured
|
|
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces,
|
|
# to prevent SSH access for users whose primary group or supplementary group list matches one of the patterns. This is done
|
|
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
|
|
rhel9cis_sshd_denygroups: ""
|
|
|
|
## Control 5.1.9 - Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
|
|
# This variable sets the maximum number of unresponsive "keep-alive" messages
|
|
# that can be sent from the server to the client before the connection is considered
|
|
# inactive and thus, closed.
|
|
rhel9cis_sshd_clientalivecountmax: 3
|
|
# This variable sets the time interval in seconds between sending "keep-alive"
|
|
# messages from the server to the client. These types of messages are intended to
|
|
# keep the connection alive and prevent it being terminated due to inactivity.
|
|
rhel9cis_sshd_clientaliveinterval: 15
|
|
|
|
## Control 5.1.10 - Ensure sshd DisableForwarding is enabled
|
|
# By Default this will also disablex11 forwarding
|
|
# set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
|
|
# This variable's value is used in the `/etc/ssh/ssh_config.d/50-redhat.conf` file to
|
|
# disable X11Forwarding. If X11 is required, set this variable's value to `yes`!
|
|
rhel9cis_sshd_x11forwarding: 'no'
|
|
|
|
## Control 5.1.14 - Ensure SSH LoginGraceTime is set to one minute or less
|
|
# This variable specifies the amount of seconds allowed for successful authentication to
|
|
# the SSH server.
|
|
rhel9cis_sshd_logingracetime: 60
|
|
|
|
## Control 5.1.15 - Ensure SSH LogLevel is appropriate
|
|
# This variable is used to control the verbosity of the logging produced by the SSH server.
|
|
# The options for setting it are as follows:
|
|
# - `QUIET`: Minimal logging;
|
|
# - `FATAL`: logs only fatal errors;
|
|
# - `ERROR`: logs error messages;
|
|
# - `INFO`: logs informational messages in addition to errors;
|
|
# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
|
|
# - `DEBUG`: generates very detailed debugging information including sensitive information.
|
|
# - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1.
|
|
rhel9cis_ssh_loglevel: INFO
|
|
|
|
## Control 5.1.16 - Ensure sshd MaxAuthTries is configured
|
|
# The MaxAuthTries parameter specifies the maximum number of authentication
|
|
# attempts permitted per connection. When the login failure count reaches half the
|
|
# number, error messages will be written to the syslog file detailing the login failure.
|
|
rhel9cis_ssh_maxauthtries: '4'
|
|
|
|
## Control 5.1.17 - Ensure sshd MaxStartups is configured
|
|
# The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
|
|
rhel9cis_ssh_maxstartups: '10:30:60'
|
|
|
|
## Control 5.1.18 - Ensure sshd MaxSessions is configured
|
|
# This variable value specifies the maximum number of open sessions that are permitted from
|
|
# a given location. CIS recommends it to be 10 or less.
|
|
rhel9cis_ssh_maxsessions: 4
|
|
|
|
## Control 5.2.x - Ensure sudo log file exists
|
|
# By default, sudo logs through syslog(3). However, to specify a custom log file, the
|
|
# 'logfile' parameter will be used, setting it with current variable's value.
|
|
# This variable defines the path and file name of the sudo log file.
|
|
rhel9cis_sudolog_location: "/var/log/sudo.log"
|
|
|
|
## Control 5.2.4 - Ensure users must provide password for escalation
|
|
# The following variable specifies a list of users that should not be required to provide a password
|
|
# for escalation. Feel free to edit it according to your needs.
|
|
rhel9cis_sudoers_exclude_nopasswd_list:
|
|
- ec2-user
|
|
- vagrant
|
|
|
|
## Control 5.2.6 - Ensure sudo authentication timeout is configured correctly
|
|
# This variable sets the duration (in minutes) during which a user's authentication credentials
|
|
# are cached after successfully authenticating using "sudo". This allows the user to execute
|
|
# multiple commands with elevated privileges without needing to re-enter their password for each
|
|
# command within the specified time period. CIS requires a value of at most 15 minutes.
|
|
rhel9cis_sudo_timestamp_timeout: 15
|
|
|
|
## Control 5.2.7 - Ensure access to the 'su' command is restricted
|
|
# This variable determines the name of the group of users that are allowed to use the su command.
|
|
# CIS requires that such a group be CREATED(named according to site policy) and be kept EMPTY.
|
|
rhel9cis_sugroup: sugroup
|
|
|
|
## Controls 5.3.x PAM and Authselect
|
|
# Do not use authselect if:
|
|
# Your host is part of Linux Identity Management.
|
|
# Joining your host to an IdM domain with the ipa-client-install command automatically configures SSSD authentication on your host.
|
|
# Your host is part of Active Directory via SSSD.
|
|
# Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.
|
|
rhel9cis_allow_authselect_updates: true
|
|
## Control 5.3.1.2 - Ensure latest version of authselect is installed
|
|
# The following variables controls the implementation of control 5.3.1.2.
|
|
# If you want the latest version to be installed set this variable's value
|
|
# to `true`.
|
|
rhel9cis_authselect_pkg_update: false # NOTE the risks if system is using SSSD or using ipa-client-install
|
|
|
|
## PAM AND Authselect
|
|
|
|
## Controls 5.3.x
|
|
|
|
# This variable configures the name of the custom profile to be created and selected.
|
|
# To be changed from default - cis_example_profile. This setting needs to be adjusted
|
|
# in order to minimise risk.
|
|
rhel9cis_authselect_custom_profile_name: cis_example_profile
|
|
# Name of the existing authselect profile to copy - options can be found with
|
|
# ```authselect list``` on the host to be configured
|
|
rhel9cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
|
|
|
|
## Control 5.3.3.1.1 -
|
|
# This variable sets the amount of tries a password can be entered, before a user is locked.
|
|
rhel9cis_pam_faillock_deny: 5
|
|
## Control 5.3.3.2, 5.3.2.2
|
|
# This variable sets the amount of time a user will be unlocked after the max amount of
|
|
# password failures.
|
|
rhel9cis_pam_faillock_unlock_time: 900
|
|
|
|
## Control 5.3.3.1.3 - Ensure password failed attempts lockout includes root account
|
|
# This variable is used in the task that ensures that even the root account
|
|
# is included in the password failed attempts lockout measure.
|
|
# The following variable is used in the 'regexp' field. This field is used to find the
|
|
# line in the file. If the line matches the regular expression, it will be replaced
|
|
# with the line parameter's value.
|
|
rhel9cis_pamroot_lock_option: even_deny_root
|
|
|
|
## Control 5.3.3.2.1 - Ensure password number of changed characters is configured
|
|
# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
|
|
# in order to implement the 'Ensure password number of changed characters is configured' control.
|
|
rhel9cis_passwd_difok_file: etc/security/pwquality.conf.d/50-pwdifok.conf # pragma: allowlist secret
|
|
# This variable's value represents the minimum number of characters that must be different between
|
|
# the new password and the old password. It helps ensure that users don't create new passwords that
|
|
# are too similar to their previous ones, enhancing security. CIS states that this value should be at least 2.
|
|
rhel9cis_passwd_difok_value: 2
|
|
|
|
## Control 5.3.3.2.2 - Ensure minimum password length is configured
|
|
# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
|
|
# in order to implement the 'Ensure minimum password length is configured' control.
|
|
rhel9cis_passwd_minlen_file: etc/security/pwquality.conf.d/50-pwlength.conf # pragma: allowlist secret
|
|
# This variable specifies the minimum length that a password must have to be considered valid.
|
|
# CIS states that this value should be at least 14.
|
|
rhel9cis_passwd_minlen_value: 14
|
|
|
|
## Control 5.3.3.2.3 - Ensure password complexity is configured
|
|
# The following variable holds the path to the configuration file that will be created (or overwritten if already existing)
|
|
# in order to implement the 'Ensure password complexity is configured' control.
|
|
rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf # pragma: allowlist secret
|
|
# This variable holds the options for configuring the password complexity.
|
|
# Options supported are: 'minclass' or 'credits'.
|
|
rhel9cis_passwd_complex_option: minclass # pragma: allowlist secret
|
|
# The following variable sets the password complexity via 'minclass'. The 'minclass' option provides
|
|
# the minimum number of classes of characters required in a new password. (digits, uppercase, lowercase, others). e.g.
|
|
# For example a value of 4 would mean that it requires digits, uppercase, lower case, and special characters.
|
|
rhel9cis_passwd_minclass: 4
|
|
# The following variables set the password complexity via the 'credits' option.
|
|
# Each of the variables represents a requirement for complexity.
|
|
# The 'dcredit' variable is the maximum credit for having digits in the new password.
|
|
# If less than 0 it is the minimum number of digits in the new password.
|
|
# e.g. dcredit = -1 requires at least one digit
|
|
rhel9cis_passwd_dcredit: -1
|
|
# The 'ucredit' variable is the maximum credit for having uppercase characters in the new password.
|
|
# If less than 0 it is the minimum number of uppercase characters in the new password.
|
|
# e.g. ucredit = -1 requires at least one uppercase character
|
|
rhel9cis_passwd_ucredit: -2
|
|
# The 'ocredit' variable is the maximum credit for having other characters in the new password.
|
|
# If less than 0 it is the minimum number of other characters in the new password.
|
|
# e.g. ocredit = -1 requires at least one special character
|
|
rhel9cis_passwd_ocredit: 0
|
|
# The 'lcredit' variable is the maximum credit for having lowercase characters in the new password.
|
|
# If less than 0 it is the minimum number of lowercase characters in the new password.
|
|
# e.g. lcredit = -1 requires at least one lowercase character
|
|
rhel9cis_passwd_lcredit: -2
|
|
|
|
## Control 5.3.3.2.4 - Ensure password same consecutive characters is configured
|
|
# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
|
|
# in order to implement the 'Ensure password same consecutive characters is configured' control.
|
|
rhel9cis_passwd_maxrepeat_file: etc/security/pwquality.conf.d/50-pwrepeat.conf # pragma: allowlist secret
|
|
# The following variable sets the maximum number of allowed same consecutive characters in a new password.
|
|
rhel9cis_passwd_maxrepeat_value: 3
|
|
|
|
## Control 5.3.3.2.5 - Ensure password maximum sequential characters is configured
|
|
# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
|
|
# in order to implement the 'Ensure password maximum sequential characters is configured' control.
|
|
rhel9cis_passwd_maxsequence_file: etc/security/pwquality.conf.d/50-pwmaxsequence.conf # pragma: allowlist secret
|
|
# The following variable sets the maximum length of monotonic character sequences in the new password.
|
|
# Examples of such sequence are '12345' or 'fedcb' . The check is disabled if the value is 0 .
|
|
rhel9cis_passwd_maxsequence_value: 3
|
|
|
|
## Control 5.3.3.2.6 - Ensure password dictionary check is enabled
|
|
# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
|
|
# in order to implement the 'Ensure password dictionary check is enabled' control
|
|
rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.conf # pragma: allowlist secret
|
|
# The following variable's value sets whether to check for the words from the cracklib dictionary.
|
|
# When set to '1', this option enables dictionary checks, ensuring that passwords are not based on common
|
|
# dictionary words, which helps prevent users from choosing easily guessable passwords.
|
|
# When set to '0', dictionary checks are disabled. CIS states that it shall always be set to '1'.
|
|
rhel9cis_passwd_dictcheck_value: 1
|
|
|
|
# This variable is used in one of the config files to ensure password quality checking is enforced
|
|
rhel9cis_passwd_quality_enforce_value: 1
|
|
|
|
## Control 5.3.3.2.7 - Ensure password quality is enforced for the root user
|
|
# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
|
|
# in order to implement the 'Ensure password quality is enforced for the root user' control.
|
|
rhel9cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret
|
|
# The following variable enforces that the root user must adhere to the same password quality policies as other users.
|
|
rhel9cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret
|
|
|
|
## Control 5.3.3.3.1 - Ensure password history remember is configured
|
|
# This variable represents the number of password change cycles, after which
|
|
# a user can re-use a password. CIS requires a value of 24 or more.
|
|
rhel9cis_pamd_pwhistory_remember: 24
|
|
|
|
## Controls 5.3.3.4.3, 5.4.1.4
|
|
# The following variable's value represents the hashing algorithm used
|
|
rhel9cis_passwd_hash_algo: sha512 # pragma: allowlist secret
|
|
|
|
## Control 5.4.1.1 - Ensure password expiration is 365 days or less
|
|
# This variable governs after how many days a password expires.
|
|
# CIS requires a value of 365 or less.
|
|
rhel9cis_pass_max_days: 365
|
|
# The following variable allows the forcing of setting user_max_days for logins.
|
|
# This can break current connecting user access
|
|
rhel9cis_force_user_maxdays: false
|
|
## Control 5.4.1.2 - Ensure minimum days between password changes is 7 or more
|
|
# This variable specifies the minimum number of days allowed between changing
|
|
# passwords. CIS requires a value of at least 1.
|
|
rhel9cis_pass_min_days: 7
|
|
# The following variable allows the force setting of minimum days between changing the password
|
|
# This can break current connecting user access
|
|
rhel9cis_force_user_mindays: false
|
|
## Control 5.4.1.3 - Ensure password expiration warning days is 7 or more
|
|
# This variable governs, how many days before a password expires, the user will be warned.
|
|
# CIS requires a value of at least 7.
|
|
rhel9cis_pass_warn_age: 7
|
|
# The following variable allows the forcing of number of days before warning users of password expiry
|
|
# This can break current connecting user access
|
|
rhel9cis_force_user_warnage: false
|
|
|
|
## Control 5.4.1.5 - Ensure inactive password lock is configured
|
|
rhel9cis_inactivelock:
|
|
# This variable specifies the number of days of inactivity before an account will be locked.
|
|
# CIS requires a value of 30 days or less.
|
|
lock_days: 30
|
|
|
|
## Control 5.4.1.6 - Ensure all users last password change date is in the past
|
|
# Allow ansible to expire password for account with a last changed date in the future. Setting it
|
|
# to 'false' will just display users in violation, while 'true' will expire those users passwords.
|
|
rhel9cis_futurepwchgdate_autofix: true
|
|
|
|
## Control 5.4.2.6 - Ensure root user umask is configured
|
|
# The following variable specifies the "umask" to configure for the root user.
|
|
# The user file-creation mode mask ( umask ) is used to determine the file
|
|
# permission for newly created directories and files. In Linux, the default
|
|
# permissions for any newly created directory is 0777 ( rwxrwxrwx ), and for
|
|
# any newly created file it is 0666 ( rw-rw-rw- ). The umask modifies the default
|
|
# Linux permissions by restricting (masking) these permissions. The umask is not
|
|
# simply subtracted, but is processed bitwise. Bits set in the umask are cleared
|
|
# in the resulting file mode. CIS recommends setting 'umask' to '0027' or more
|
|
# restrictive.
|
|
rhel9cis_root_umask: '0027' # 0027 or more restrictive
|
|
|
|
## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin
|
|
# The system users on this list are allowed to have a shell (e.g. applications
|
|
# that require a shell to function)
|
|
rhel9cis_system_users_shell: []
|
|
|
|
## Control 5.4.3.2 - Configuring user shell timeout
|
|
# This dictionary is related to ensuring the rule about user shell timeout
|
|
# This variable represents the amount of seconds a command or process is allowed to
|
|
# run before being forcefully terminated.
|
|
# CIS requires a value of at most 900 seconds.
|
|
rhel9cis_shell_session_timeout: 900
|
|
# This variable specifies the path of the timeout setting file.
|
|
# (TMOUT setting can be set in multiple files, but only one is required for the
|
|
# rule to pass. Options are:
|
|
# - a file in `/etc/profile.d/` ending in `.s`,
|
|
# - `/etc/profile`, or
|
|
# - `/etc/bash.bashrc`.
|
|
rhel9cis_shell_session_file: /etc/profile.d/tmout.sh
|
|
|
|
## Control 5.4.3.3 - Ensure default user umask is configured
|
|
# The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`.
|
|
# The value needs to be `027` or more restrictive to comply with CIS standards.
|
|
rhel9cis_bash_umask: '0027' # 0027 or more restrictive
|
|
|
|
## Section 6 vars
|
|
|
|
## Control 6.1.1 - Ensure AIDE is installed
|
|
# AIDE is a file integrity checking tool, similar in nature to Tripwire.
|
|
# While it cannot prevent intrusions, it can detect unauthorized changes
|
|
# to configuration files by alerting when the files are changed. Review
|
|
# the AIDE quick start guide and AIDE documentation before proceeding.
|
|
# By setting this variable to `true`, all the settings related to AIDE
|
|
# will be applied!
|
|
rhel9cis_config_aide: true
|
|
# This variable sets a maximum allowed age of the AIDE database file until
|
|
# the file is rebuilt. If the file is older than the value below, the role
|
|
# will automatically rebuild the database file.
|
|
# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour
|
|
rhel9cis_aide_db_file_age: 1w
|
|
# If AIDE is already setup this variable forces a new database
|
|
# file to be created.
|
|
rhel9cis_aide_db_recreate: false
|
|
# This variable is used to check if there is already an existing database file
|
|
# created by AIDE on the target system. If it is not present, the role will generate
|
|
# a database file with the same name as the value of this variable.
|
|
rhel9cis_aide_db_file: /var/lib/aide/aide.db.gz
|
|
|
|
## Control 6.1.2 - Ensure filesystem integrity is regularly checked
|
|
# The following variable sets how AIDE is scanned.
|
|
# Available options are either cron or timer.
|
|
rhel9cis_aide_scan: cron
|
|
# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
|
|
# The sub-settings of this variable provide the parameters required to configure
|
|
# the cron job on the target system.
|
|
# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
|
|
# and executed automatically at a certain point in time.
|
|
rhel9cis_aide_cron:
|
|
# This variable represents the user account under which the cron job for AIDE will run.
|
|
cron_user: root
|
|
# This variable represents the path to the AIDE crontab file.
|
|
cron_file: /etc/cron.d/aide_cron
|
|
# This variable represents the actual command or script that the cron job
|
|
# will execute for running AIDE.
|
|
aide_job: '/usr/sbin/aide --check'
|
|
# These variables define the schedule for the cron job
|
|
# This variable governs the minute of the time of day when the AIDE cronjob is run.
|
|
# It must be in the range `0-59`.
|
|
aide_minute: 0
|
|
# This variable governs the hour of the time of day when the AIDE cronjob is run.
|
|
# It must be in the range `0-23`.
|
|
aide_hour: 5
|
|
# This variable governs the day of the month when the AIDE cronjob is run.
|
|
# `*` signifies that the job is run on all days; furthermore, specific days
|
|
# can be given in the range `1-31`; several days can be concatenated with a comma.
|
|
# The specified day(s) can must be in the range `1-31`.
|
|
aide_day: '*'
|
|
# This variable governs months when the AIDE cronjob is run.
|
|
# `*` signifies that the job is run in every month; furthermore, specific months
|
|
# can be given in the range `1-12`; several months can be concatenated with commas.
|
|
# The specified month(s) can must be in the range `1-12`.
|
|
aide_month: '*'
|
|
# This variable governs the weekdays, when the AIDE cronjob is run.
|
|
# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
|
|
# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
|
|
# can be concatenated with commas.
|
|
aide_weekday: '*'
|
|
|
|
## Preferred method of logging
|
|
## Controls 6.2.1.x | Configure systemd-journald service
|
|
## Controls 6.2.2.x | Configured journald
|
|
## Controls 6.2.3.x | Configure rsyslog
|
|
# This variable governs which logging service should be used, choosing between 'rsyslog'
|
|
# or 'journald'(CIS recommendation) will trigger the execution of the associated subsection, as the-best
|
|
# practices are written wholly independent of each other.
|
|
rhel9cis_syslog: rsyslog
|
|
|
|
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
|
|
# Current variable configures the max amount of disk space the logs will use(thus, journal files
|
|
# will not grow without bounds)
|
|
# The variables below related to journald, please set these to your site specific values
|
|
# These variable specifies how much disk space the journal may use up at most
|
|
# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
|
|
# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
|
|
rhel9cis_journald_systemmaxuse: 10M
|
|
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
|
|
# Current variable configures the amount of disk space to keep free for other uses.
|
|
rhel9cis_journald_systemkeepfree: 100G
|
|
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
|
|
# This variable configures how much disk space the journal may use up at most.
|
|
# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space.
|
|
rhel9cis_journald_runtimemaxuse: 10M
|
|
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
|
|
# This variable configures the actual amount of disk space to keep free
|
|
# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space.
|
|
rhel9cis_journald_runtimekeepfree: 100G
|
|
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
|
|
# Current variable governs the settings for log retention(how long the log files will be kept).
|
|
# Thus, it specifies the maximum time to store entries in a single journal
|
|
# file before rotating to the next one. Set to 0 to turn off this feature.
|
|
# The given values is interpreted as seconds, unless suffixed with the units
|
|
# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
|
|
# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
|
|
# ATTENTION: Uncomment the keyword below when values are set!
|
|
rhel9cis_journald_maxfilesec: 1month
|
|
|
|
## Control 6.2.2.1.2 - Ensure systemd-journal-upload authentication is configured
|
|
# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
|
|
# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
|
|
# number may be specified after a colon (":"), otherwise 19532 will be used by default.
|
|
rhel9cis_journal_upload_url: 192.168.50.42
|
|
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
|
|
# This variable specifies the path to the private key file used by the remote journal
|
|
# server to authenticate itself to the client. This key is used alongside the server's
|
|
# public certificate to establish secure communication. The path below has the default
|
|
# path/file, but it is also allowed for a user to create its custom path/filename.
|
|
rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
|
|
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
|
|
# This variable specifies the path to the public certificate file of the remote journal
|
|
# server. This certificate is used to verify the authenticity of the remote server. The path
|
|
# below has the default path/file, but it is also allowed for a user to create its custom
|
|
# path/filename.
|
|
rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
|
|
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
|
|
# This variable specifies the path to a file containing one or more public certificates
|
|
# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
|
|
# to validate the authenticity of the remote server's certificate. The path below has the default
|
|
## path/file, but it is also allowed for a user to create its custom path/filename.
|
|
rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
|
|
# ATTENTION: Uncomment the keyword below when values are set!
|
|
|
|
## Control 6.2.3.5 | PATCH | Ensure logging is configured
|
|
# This variable governs if current Ansible role should manage syslog settings
|
|
# in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages)
|
|
rhel9cis_rsyslog_ansiblemanaged: true
|
|
|
|
## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
|
|
# This variable governs if 'rsyslog' service should be automatically configured to forward messages to a
|
|
# remote log server. If set to 'false', the configuration of the 'omfwd' plugin, used to provide forwarding
|
|
# over UDP or TCP, will not be performed.
|
|
rhel9cis_remote_log_server: false
|
|
## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
|
|
# This variable configures the value of the 'target' parameter to be configured when enabling
|
|
# forwarding syslog messages to a remote log server, thus configuring the actual FQDN/IP address of the
|
|
# destination server. For this value to be reflected in the configuration, the variable which enables the
|
|
# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
|
|
rhel9cis_remote_log_host: logagg.example.com
|
|
## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
|
|
# This variable configures the value of the 'port' parameter to be configured when enabling
|
|
# forwarding syslog messages to a remote log server. The default value for this destination port is 514.
|
|
# For this value to be reflected in the configuration, the variable which enables the
|
|
# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
|
|
rhel9cis_remote_log_port: 514
|
|
## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
|
|
# This variable configures the value("TCP"/"UDP") of the 'protocol' parameter to be configured when enabling
|
|
# forwarding syslog messages to a remote log server. The default value for the 'omfwd' plug-in is UDP.
|
|
# For this value to be reflected in the configuration, the variable which enables the
|
|
# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
|
|
rhel9cis_remote_log_protocol: tcp
|
|
## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
|
|
# This variable governs how often an action is retried(value is passed to 'action.resumeRetryCount' parameter) before
|
|
# it is considered to have failed(that roughly translates to discarded messages). The default value is 0, but
|
|
# when set to "-1"(eternal), this setting would prevent rsyslog from dropping messages when retrying to connect
|
|
# if server is not responding. For this value to be reflected in the configuration, the variable which enables the
|
|
# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
|
|
rhel9cis_remote_log_retrycount: 100
|
|
## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
|
|
# This variable configures the maximum number of messages that can be hold(value is passed to 'queue.size' parameter).
|
|
# For this value to be reflected in the configuration, the variable which enables the automatic configuration
|
|
# of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
|
|
rhel9cis_remote_log_queuesize: 1000
|
|
|
|
## Control 6.2.3.7 - Ensure rsyslog is not configured to receive logs from a remote client
|
|
# This variable expresses whether the system is used as a log server or not. If set to:
|
|
# - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts.
|
|
# - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity
|
|
# from local attacks on remote clients)
|
|
rhel9cis_system_is_log_server: false
|
|
|
|
## Control 6.2.3.8 rsyslog rotate
|
|
# This variable configures whether to set your own rsyslog logrotate setting
|
|
# alternate to logrotate default settings. Please refer to logrotate options
|
|
# to match your site requirements
|
|
# This variable sets when to rotate
|
|
rhel9cis_rsyslog_logrotate_rotated_when: weekly
|
|
# This variable sets how many rotations of the file to keep
|
|
rhel9cis_rsyslog_logrotate_rotatation_keep: 4
|
|
# The following variable defines whether to set the compress option
|
|
# or not. Setting it to `true` will carry out the setting.
|
|
rhel9cis_rsyslog_logrotate_compress: true
|
|
# The following variable defines whether to set the missingok option
|
|
# or not. Setting it to `true` will carry out the setting.
|
|
rhel9cis_rsyslog_logrotate_missingok: true
|
|
# The following variable defines whether to set the notifempty option
|
|
# or not. Setting it to `true` will carry out the setting.
|
|
rhel9cis_rsyslog_logrotate_notifempty: true
|
|
# The following variable defines whether to set extra options that can
|
|
# be defined in the `rhel9cis_rsyslog_logrotate_create_opts` variable
|
|
# The variable can be found underneath this variable, in a commented
|
|
# state.
|
|
rhel9cis_rsyslog_logrotate_create: true
|
|
# Extra options that can be added according to rsyslog documentation
|
|
# Uncomment and add the required options e.g. mode owner group
|
|
# rhel9cis_rsyslog_logrotate_create_opts:
|
|
|
|
## Control 6.3.1.3 - Ensure audit_backlog_limit is sufficient
|
|
# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
|
|
# system can buffer in memory, if the audit subsystem is unable to process them in real-time.
|
|
# Buffering in memory is useful in situations, where the audit system is overwhelmed
|
|
# with incoming audit events, and needs to temporarily store them until they can be processed.
|
|
# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value.
|
|
rhel9cis_audit_back_log_limit: 8192
|
|
|
|
## Controls 6.3.2.x - What to do when log files fill up
|
|
|
|
## Control 6.3.2.1 - Ensure audit log storage size is configured
|
|
# This variable specifies the maximum size in MB that an audit log file can reach
|
|
# before it is archived or deleted to make space for the new audit data.
|
|
# This should be set based on your sites policy. CIS does not provide a specific value.
|
|
rhel9cis_auditd_max_log_file_size: 10
|
|
|
|
## Control 6.3.2.2 - Ensure audit logs are not automatically deleted
|
|
# This variable determines what action the audit system should take when the maximum
|
|
# size of a log file is reached.
|
|
# The options for setting this variable are as follows:
|
|
# - `ignore`: the system does nothing when the size of a log file is full;
|
|
# - `syslog`: a message is sent to the system log indicating the problem;
|
|
# - `suspend`: the system suspends recording audit events until the log file is cleared or rotated;
|
|
# - `rotate`: the log file is rotated (archived) and a new empty log file is created;
|
|
# - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints.
|
|
# CIS prescribes the value `keep_logs`.
|
|
rhel9cis_auditd_max_log_file_action: keep_logs
|
|
|
|
## Control 6.3.2.3 - Ensure system is disabled when audit logs are full
|
|
# This variable determines how the system should act in case of issues with the disk.
|
|
# The disk_full_action parameter tells the system what action to take when no free space is
|
|
# available on the partition that holds the audit log files.
|
|
# Valid values are ignore, syslog, rotate, exec, suspend, single, and halt.
|
|
# CIS prescribes
|
|
# disk_full_action parameter:
|
|
# Set to halt - the auditd daemon will shutdown the system when the disk partition containing
|
|
# the audit logs becomes full.
|
|
# Set to single - the auditd daemon will put the computer system in single user mode when the
|
|
# disk partition containing the audit logs becomes full.
|
|
rhel9cis_auditd_disk_full_action: halt
|
|
# This variable determines how the system should act in case of issues with the disk.
|
|
# The disk_error_action parameter tells the system what action to take when an error is detected
|
|
# on the partition that holds the audit log files.
|
|
# Valid values are ignore, syslog, exec, suspend, single, and halt.
|
|
# disk_error_action parameter:
|
|
# Set to halt - the auditd daemon will shutdown the system when an error is detected on the
|
|
# partition that holds the audit log files.
|
|
# Set to single - the auditd daemon will put the computer system in single user mode when
|
|
# an error is detected on the partition that holds the audit log files.
|
|
# Set to syslog - the auditd daemon will issue no more than 5 consecutive warnings to syslog
|
|
# when an error is detected on the partition that holds the audit log files.
|
|
rhel9cis_auditd_disk_error_action: syslog
|
|
|
|
## Control 6.3.2.4 - Ensure system warns when audit logs are low on space
|
|
# This variable tells the system what action to take when the system has detected
|
|
# that it is starting to get low on disk space.
|
|
# The options for setting this variable are as follows:
|
|
# "ignore" - the system does nothing when presented with the aforementioned issue;
|
|
# "syslog" - a message is sent to the system log about disk space running low;
|
|
# "email" - the system sends an email notification to the email address
|
|
# specified in the "action_mail_acct" variable;
|
|
# "exec" - the system executes a custom command when disk space is running
|
|
# low;
|
|
# "suspend" - the system suspends recording audit events until more space is available;
|
|
# "single" - the audit daemon will put the computer system in single user mode;
|
|
# "halt" - the system is halted when disk space is critically low;
|
|
# CIS prescribes either 'email', 'exec', `single` or `halt`.
|
|
rhel9cis_auditd_space_left_action: email
|
|
# This variable tells the system what action to take when the system has detected
|
|
# that it is low on disk space.
|
|
# The options for setting this variable are as follows:
|
|
# "ignore" - the system does nothing when presented with the aforementioned issue;
|
|
# "syslog" - a message is sent to the system log about disk space running low;
|
|
# "email" - the system sends an email notification to the email address
|
|
# specified in the "action_mail_acct" variable;
|
|
# "exec" - the system executes a custom command when disk space is running
|
|
# low;
|
|
# "suspend" - the system suspends recording audit events until more space is available;
|
|
# "single" - the audit daemon will put the computer system in single user mode;
|
|
# "halt" - the system is halted when disk space is critically low;
|
|
# CIS prescribes either `halt` or `single`.
|
|
rhel9cis_auditd_admin_space_left_action: halt
|
|
|
|
# This value governs if the below extra-vars (found in the `rhel9cis_auditd_extra_conf`)
|
|
# for auditd should be used by the role.
|
|
rhel9cis_auditd_extra_conf_usage: false
|
|
|
|
## Controls 6.3.3.x allow exceptions for UID in auditd config
|
|
## Advanced option found in auditd post
|
|
# This variable governs if defining user exceptions for auditd logging is acceptable.
|
|
rhel9cis_allow_auditd_uid_user_exclusions: false
|
|
# This variable contains a list of uids to be excluded(users whose actions are not logged by auditd)
|
|
rhel9cis_auditd_uid_exclude:
|
|
- 1999
|
|
|
|
# This can be used to configure other keys in auditd.conf
|
|
rhel9cis_auditd_extra_conf:
|
|
# This variable governs the threshold(MegaBytes) under which the audit daemon should perform a
|
|
# specific action to alert that the system is running low on disk space. Must be lower than
|
|
# the 'space_left' variable.
|
|
admin_space_left: '10%'
|
|
|
|
# Section 7 Vars
|
|
|
|
## Control 7.1.11 - Ensure no world writable files exist
|
|
# The following variable is a toggle for enabling/disabling the automated
|
|
# removal of world-writable permissions from all files.
|
|
# Possible values are `true` and `false`.
|
|
rhel9cis_no_world_write_adjust: true
|
|
|
|
## Control 7.1.12 - Ensure no files or directories without an owner and a group exist
|
|
# This variable holds the part of the command that helps detect which files and
|
|
# directories do not have an owner and an affiliated group.
|
|
rhel9cis_exclude_unowned_search_path: (! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*")
|
|
# The value of this variable specifies the owner that will be set for unowned files and directories.
|
|
rhel9cis_unowned_owner: root
|
|
# The value of this variable specifies the group that will be set for ungrouped files and directories.
|
|
rhel9cis_ungrouped_group: root
|
|
# This variable is a toggle for enabling/disabling the automated
|
|
# setting of an owner (specified in variable `rhel9cis_unowned_owner`)
|
|
# for all unowned files and directories.
|
|
# Possible values are `true` and `false`.
|
|
rhel9cis_ownership_adjust: true
|
|
|
|
## Control 7.1.13 - Ensure SUID and SGID files are reviewed
|
|
# This variable is a toggle for enabling/disabling the automated removal
|
|
# of the SUID bit from all files on all mounts.
|
|
# Possible values are `true` and `false`.
|
|
rhel9cis_suid_sgid_adjust: false
|
|
|
|
## Control 7.2.8 - Ensure local interactive user home directories are configured
|
|
# UID settings for interactive users
|
|
# These are discovered via logins.def if set true
|
|
rhel9cis_discover_int_uid: true
|
|
# This variable sets the minimum number from which to search for UID
|
|
# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has
|
|
# been set to `true`.
|
|
min_int_uid: 1000
|
|
# This variable sets the maximum number at which the search stops for UID
|
|
# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has
|
|
# been set to `true`.
|
|
max_int_uid: 65533
|
|
|
|
## Control 7.2.9 - Ensure local interactive user dot files access is configured
|
|
# This variable is a toggle for enabling/disabling the automated modification of
|
|
# permissions on dot files.
|
|
# Possible values are `true` and `false`
|
|
# This setting can impact a running system if not tested sufficiently
|
|
rhel9cis_dotperm_ansiblemanaged: false
|