RHEL9-CIS/templates/ansible_vars_goss.yml.j2

---


# Enable logrunning potential resource intensive tests
run_heavy_tests: {{ audit_run_heavy_tests }}

# Extend default command timeout for longer running tests
timeout_ms: {{ audit_cmd_timeout }}

## Switching on/off specific baseline sections
# These variables govern whether the tasks of a particular section are to be executed when running the role.
# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
# If you do not want the tasks from that section to get executed you simply set the variable to "false".
rhel9cis_section1: {{ rhel9cis_section1 }}
rhel9cis_section2: {{ rhel9cis_section2 }}
rhel9cis_section3: {{ rhel9cis_section3 }}
rhel9cis_section4: {{ rhel9cis_section4 }}
rhel9cis_section5: {{ rhel9cis_section5 }}
rhel9cis_section6: {{ rhel9cis_section6 }}
rhel9cis_section7: {{ rhel9cis_section7 }}

# This is used for audit purposes to run only specific level use the tags
# e.g.
# - level1-server
# - level2-workstation
rhel9cis_level_1: {{ rhel9cis_level_1 }}
rhel9cis_level_2: {{ rhel9cis_level_2 }}

## Section 1.6 - Mandatory Access Control
# This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting
# 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed.
rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }}
# This variable is used in a preliminary task, handling grub2 paths either in case of
# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg').
rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }}

## Benchmark name used by auditing control role
# The audit variable found at the base
## metadata for Audit benchmark
benchmark_version: {{ benchmark_version }}

benchmark: RHEL9-CIS

# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
# You must enable an entire section in order for the variables below to take effect.

# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings,
# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager)
# Filesystem kernel modules
rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }}
rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }}
rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }}
rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }}
rhel9cis_rule_1_1_1_5: {{ rhel9cis_rule_1_1_1_5 }}
rhel9cis_rule_1_1_1_6: {{ rhel9cis_rule_1_1_1_6 }}
rhel9cis_rule_1_1_1_7: {{ rhel9cis_rule_1_1_1_7 }}
rhel9cis_rule_1_1_1_8: {{ rhel9cis_rule_1_1_1_8 }}
rhel9cis_rule_1_1_1_9: {{ rhel9cis_rule_1_1_1_9 }}
# Filesystems
# /tmp
rhel9cis_rule_1_1_2_1_1: {{ rhel9cis_rule_1_1_2_1_1 }}
rhel9cis_rule_1_1_2_1_2: {{ rhel9cis_rule_1_1_2_1_2 }}
rhel9cis_rule_1_1_2_1_3: {{ rhel9cis_rule_1_1_2_1_3 }}
rhel9cis_rule_1_1_2_1_4: {{ rhel9cis_rule_1_1_2_1_4 }}
# /dev/shm
rhel9cis_rule_1_1_2_2_1: {{ rhel9cis_rule_1_1_2_2_1 }}
rhel9cis_rule_1_1_2_2_2: {{ rhel9cis_rule_1_1_2_2_2 }}
rhel9cis_rule_1_1_2_2_3: {{ rhel9cis_rule_1_1_2_2_3 }}
rhel9cis_rule_1_1_2_2_4: {{ rhel9cis_rule_1_1_2_2_4 }}
# /home
rhel9cis_rule_1_1_2_3_1: {{ rhel9cis_rule_1_1_2_3_1 }}
rhel9cis_rule_1_1_2_3_2: {{ rhel9cis_rule_1_1_2_3_2 }}
rhel9cis_rule_1_1_2_3_3: {{ rhel9cis_rule_1_1_2_3_3 }}
# /var
rhel9cis_rule_1_1_2_4_1: {{ rhel9cis_rule_1_1_2_4_1 }}
rhel9cis_rule_1_1_2_4_2: {{ rhel9cis_rule_1_1_2_4_2 }}
rhel9cis_rule_1_1_2_4_3: {{ rhel9cis_rule_1_1_2_4_3 }}
# /var/tmp
rhel9cis_rule_1_1_2_5_1: {{ rhel9cis_rule_1_1_2_5_1 }}
rhel9cis_rule_1_1_2_5_2: {{ rhel9cis_rule_1_1_2_5_2 }}
rhel9cis_rule_1_1_2_5_3: {{ rhel9cis_rule_1_1_2_5_3 }}
rhel9cis_rule_1_1_2_5_4: {{ rhel9cis_rule_1_1_2_5_4 }}
# /var/log
rhel9cis_rule_1_1_2_6_1: {{ rhel9cis_rule_1_1_2_6_1 }}
rhel9cis_rule_1_1_2_6_2: {{ rhel9cis_rule_1_1_2_6_2 }}
rhel9cis_rule_1_1_2_6_3: {{ rhel9cis_rule_1_1_2_6_3 }}
rhel9cis_rule_1_1_2_6_4: {{ rhel9cis_rule_1_1_2_6_4 }}
# /var/log/audit
rhel9cis_rule_1_1_2_7_1: {{ rhel9cis_rule_1_1_2_7_1 }}
rhel9cis_rule_1_1_2_7_2: {{ rhel9cis_rule_1_1_2_7_2 }}
rhel9cis_rule_1_1_2_7_3: {{ rhel9cis_rule_1_1_2_7_3 }}
rhel9cis_rule_1_1_2_7_4: {{ rhel9cis_rule_1_1_2_7_4 }}

# Package Mgmt
# Config Pkg Repos
rhel9cis_rule_1_2_1_1: {{ rhel9cis_rule_1_2_1_1 }}
rhel9cis_rule_1_2_1_2: {{ rhel9cis_rule_1_2_1_2 }}
rhel9cis_rule_1_2_1_3: {{ rhel9cis_rule_1_2_1_3 }}
rhel9cis_rule_1_2_1_4: {{ rhel9cis_rule_1_2_1_4 }}
# Package updates
rhel9cis_rule_1_2_2_1: {{ rhel9cis_rule_1_2_2_1 }}

# Selinux
rhel9cis_rule_1_3_1_1: {{ rhel9cis_rule_1_3_1_1 }}
rhel9cis_rule_1_3_1_2: {{ rhel9cis_rule_1_3_1_2 }}
rhel9cis_rule_1_3_1_3: {{ rhel9cis_rule_1_3_1_3 }}
rhel9cis_rule_1_3_1_4: {{ rhel9cis_rule_1_3_1_4 }}
rhel9cis_rule_1_3_1_5: {{ rhel9cis_rule_1_3_1_5 }}
rhel9cis_rule_1_3_1_6: {{ rhel9cis_rule_1_3_1_6 }}
rhel9cis_rule_1_3_1_7: {{ rhel9cis_rule_1_3_1_7 }}
rhel9cis_rule_1_3_1_8: {{ rhel9cis_rule_1_3_1_8 }}

# Bootloader
rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}

# Additional Process Hardening
rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }}
rhel9cis_rule_1_5_4: {{ rhel9cis_rule_1_5_4 }}

# Config system wide Crypto
rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }}
rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }}
rhel9cis_rule_1_6_3: {{ rhel9cis_rule_1_6_3 }}
rhel9cis_rule_1_6_4: {{ rhel9cis_rule_1_6_4 }}
rhel9cis_rule_1_6_5: {{ rhel9cis_rule_1_6_5 }}
rhel9cis_rule_1_6_6: {{ rhel9cis_rule_1_6_6 }}
rhel9cis_rule_1_6_7: {{ rhel9cis_rule_1_6_7 }}

# Command line warning banners
rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }}
rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }}
rhel9cis_rule_1_7_3: {{ rhel9cis_rule_1_7_3 }}
rhel9cis_rule_1_7_4: {{ rhel9cis_rule_1_7_4 }}
rhel9cis_rule_1_7_5: {{ rhel9cis_rule_1_7_5 }}
rhel9cis_rule_1_7_6: {{ rhel9cis_rule_1_7_6 }}

# Gnome Display Manager
rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_1 }}
rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }}
rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }}
rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }}
rhel9cis_rule_1_8_6: {{ rhel9cis_rule_1_8_6 }}
rhel9cis_rule_1_8_7: {{ rhel9cis_rule_1_8_7 }}
rhel9cis_rule_1_8_8: {{ rhel9cis_rule_1_8_8 }}
rhel9cis_rule_1_8_9: {{ rhel9cis_rule_1_8_9 }}
rhel9cis_rule_1_8_10: {{ rhel9cis_rule_1_8_10 }}

# Section 2 rules are controlling Services (Special Purpose Services, and service clients)
## Configure Server Services
rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }}
rhel9cis_rule_2_1_2: {{ rhel9cis_rule_2_1_2 }}
rhel9cis_rule_2_1_3: {{ rhel9cis_rule_2_1_3 }}
rhel9cis_rule_2_1_4: {{ rhel9cis_rule_2_1_4 }}
rhel9cis_rule_2_1_5: {{ rhel9cis_rule_2_1_5 }}
rhel9cis_rule_2_1_6: {{ rhel9cis_rule_2_1_6 }}
rhel9cis_rule_2_1_7: {{ rhel9cis_rule_2_1_7 }}
rhel9cis_rule_2_1_8: {{ rhel9cis_rule_2_1_8 }}
rhel9cis_rule_2_1_9: {{ rhel9cis_rule_2_1_9 }}
rhel9cis_rule_2_1_10: {{ rhel9cis_rule_2_1_10 }}
rhel9cis_rule_2_1_11: {{ rhel9cis_rule_2_1_11 }}
rhel9cis_rule_2_1_12: {{ rhel9cis_rule_2_1_12 }}
rhel9cis_rule_2_1_13: {{ rhel9cis_rule_2_1_13 }}
rhel9cis_rule_2_1_14: {{ rhel9cis_rule_2_1_14 }}
rhel9cis_rule_2_1_15: {{ rhel9cis_rule_2_1_15 }}
rhel9cis_rule_2_1_16: {{ rhel9cis_rule_2_1_16 }}
rhel9cis_rule_2_1_17: {{ rhel9cis_rule_2_1_17 }}
rhel9cis_rule_2_1_18: {{ rhel9cis_rule_2_1_18 }}
rhel9cis_rule_2_1_19: {{ rhel9cis_rule_2_1_19 }}
rhel9cis_rule_2_1_20: {{ rhel9cis_rule_2_1_20 }}
rhel9cis_rule_2_1_21: {{ rhel9cis_rule_2_1_21 }}
rhel9cis_rule_2_1_22: {{ rhel9cis_rule_2_1_22 }}

## Configure Client Services
rhel9cis_rule_2_2_1: {{ rhel9cis_rule_2_2_1 }}
rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }}
rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }}
rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }}
rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }}

## Configure Time Synchronization
rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }}
rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }}
rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }}

## Job Schedulers
### cron
rhel9cis_rule_2_4_1_1: {{ rhel9cis_rule_2_4_1_1 }}
rhel9cis_rule_2_4_1_2: {{ rhel9cis_rule_2_4_1_2 }}
rhel9cis_rule_2_4_1_3: {{ rhel9cis_rule_2_4_1_3 }}
rhel9cis_rule_2_4_1_4: {{ rhel9cis_rule_2_4_1_4 }}
rhel9cis_rule_2_4_1_5: {{ rhel9cis_rule_2_4_1_5 }}
rhel9cis_rule_2_4_1_6: {{ rhel9cis_rule_2_4_1_6 }}
rhel9cis_rule_2_4_1_7: {{ rhel9cis_rule_2_4_1_7 }}
rhel9cis_rule_2_4_1_8: {{ rhel9cis_rule_2_4_1_8 }}
### at
rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }}

# Section 3 Network
## Network Devices
rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
## Network Kernel Modules
rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }}
rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }}
# Network Kernel Parameters
rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }}
rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }}
rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }}
rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }}
rhel9cis_rule_3_3_5: {{ rhel9cis_rule_3_3_5 }}
rhel9cis_rule_3_3_6: {{ rhel9cis_rule_3_3_6 }}
rhel9cis_rule_3_3_7: {{ rhel9cis_rule_3_3_7 }}
rhel9cis_rule_3_3_8: {{ rhel9cis_rule_3_3_8 }}
rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }}
rhel9cis_rule_3_3_10: {{ rhel9cis_rule_3_3_10 }}
rhel9cis_rule_3_3_11: {{ rhel9cis_rule_3_3_11 }}

# Section 4 Firewalls
## Firewall utility
rhel9cis_rule_4_1_1: {{ rhel9cis_rule_4_1_1 }}
rhel9cis_rule_4_1_2: {{ rhel9cis_rule_4_1_2 }}
## Configure firewalld
rhel9cis_rule_4_2_1: {{ rhel9cis_rule_4_2_1 }}
rhel9cis_rule_4_2_2: {{ rhel9cis_rule_4_2_2 }}
# Configure nftables
rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }}
rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }}
rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }}
rhel9cis_rule_4_3_4: {{ rhel9cis_rule_4_3_4 }}

## Section 5
## 5.1. Configure SSH Server
rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }}
rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }}
rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }}
rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }}
rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }}
rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }}
rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }}
rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }}
rhel9cis_rule_5_1_9: {{ rhel9cis_rule_5_1_9 }}
rhel9cis_rule_5_1_10: {{ rhel9cis_rule_5_1_10 }}
rhel9cis_rule_5_1_11: {{ rhel9cis_rule_5_1_11 }}
rhel9cis_rule_5_1_12: {{ rhel9cis_rule_5_1_12 }}
rhel9cis_rule_5_1_13: {{ rhel9cis_rule_5_1_13 }}
rhel9cis_rule_5_1_14: {{ rhel9cis_rule_5_1_14 }}
rhel9cis_rule_5_1_15: {{ rhel9cis_rule_5_1_15 }}
rhel9cis_rule_5_1_16: {{ rhel9cis_rule_5_1_16 }}
rhel9cis_rule_5_1_17: {{ rhel9cis_rule_5_1_17 }}
rhel9cis_rule_5_1_18: {{ rhel9cis_rule_5_1_18 }}
rhel9cis_rule_5_1_19: {{ rhel9cis_rule_5_1_19 }}
rhel9cis_rule_5_1_20: {{ rhel9cis_rule_5_1_20 }}
rhel9cis_rule_5_1_21: {{ rhel9cis_rule_5_1_21 }}
rhel9cis_rule_5_1_22: {{ rhel9cis_rule_5_1_22 }}
## 5.2 Configure Privilege Escalation
rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }}
rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }}
rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }}
rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }}
rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }}
rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }}
rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }}
# 5.3.1.x Configure PAM software packages
rhel9cis_rule_5_3_1_1: {{ rhel9cis_rule_5_3_1_1 }}
rhel9cis_rule_5_3_1_2: {{ rhel9cis_rule_5_3_1_2 }}
rhel9cis_rule_5_3_1_3: {{ rhel9cis_rule_5_3_1_3 }}
# 5.3.2 Configure authselect
rhel9cis_rule_5_3_2_1: {{ rhel9cis_rule_5_3_2_1 }}
rhel9cis_rule_5_3_2_2: {{ rhel9cis_rule_5_3_2_2 }}
rhel9cis_rule_5_3_2_3: {{ rhel9cis_rule_5_3_2_3 }}
rhel9cis_rule_5_3_2_4: {{ rhel9cis_rule_5_3_2_4 }}
rhel9cis_rule_5_3_2_5: {{ rhel9cis_rule_5_3_2_5 }}
# 5.3.3.1 Configure pam_faillock module
rhel9cis_rule_5_3_3_1_1: {{ rhel9cis_rule_5_3_3_1_1 }}
rhel9cis_rule_5_3_3_1_2: {{ rhel9cis_rule_5_3_3_1_2 }}
rhel9cis_rule_5_3_3_1_3: {{ rhel9cis_rule_5_3_3_1_3 }}
# 5.3.3.2 Configure pam_pwquality module
rhel9cis_rule_5_3_3_2_1: {{ rhel9cis_rule_5_3_3_2_1 }}
rhel9cis_rule_5_3_3_2_2: {{ rhel9cis_rule_5_3_3_2_2 }}
rhel9cis_rule_5_3_3_2_3: {{ rhel9cis_rule_5_3_3_2_3 }}
rhel9cis_rule_5_3_3_2_4: {{ rhel9cis_rule_5_3_3_2_4 }}
rhel9cis_rule_5_3_3_2_5: {{ rhel9cis_rule_5_3_3_2_5 }}
rhel9cis_rule_5_3_3_2_6: {{ rhel9cis_rule_5_3_3_2_6 }}
rhel9cis_rule_5_3_3_2_7: {{ rhel9cis_rule_5_3_3_2_7 }}
rhel9cis_rule_5_3_3_2_8: {{ rhel9cis_rule_5_3_3_2_8 }}
# 5.3.3.3 Configure pam_pwhistory module
# This are added as part of 5.3.2.4 using jinja2 template
rhel9cis_rule_5_3_3_3_1: {{ rhel9cis_rule_5_3_3_3_1 }}
rhel9cis_rule_5_3_3_3_2: {{ rhel9cis_rule_5_3_3_3_2 }}
rhel9cis_rule_5_3_3_3_3: {{ rhel9cis_rule_5_3_3_3_3 }}
# 5.3.3.4 Configure pam_unix module
rhel9cis_rule_5_3_3_4_1: {{ rhel9cis_rule_5_3_3_4_1 }}
rhel9cis_rule_5_3_3_4_2: {{ rhel9cis_rule_5_3_3_4_2 }}
rhel9cis_rule_5_3_3_4_3: {{ rhel9cis_rule_5_3_3_4_3 }}
rhel9cis_rule_5_3_3_4_4: {{ rhel9cis_rule_5_3_3_4_4 }}
# 5.4 User Accounts and Environment
# 5.4.1 Configure shadow password suite parameters
rhel9cis_rule_5_4_1_1: {{ rhel9cis_rule_5_4_1_1 }}
rhel9cis_rule_5_4_1_2: {{ rhel9cis_rule_5_4_1_2 }}
rhel9cis_rule_5_4_1_3: {{ rhel9cis_rule_5_4_1_3 }}
rhel9cis_rule_5_4_1_4: {{ rhel9cis_rule_5_4_1_4 }}
rhel9cis_rule_5_4_1_5: {{ rhel9cis_rule_5_4_1_5 }}
rhel9cis_rule_5_4_1_6: {{ rhel9cis_rule_5_4_1_6 }}
# 5.4.2 Configure root and system accounts and environment
rhel9cis_rule_5_4_2_1: {{ rhel9cis_rule_5_4_2_1 }}
rhel9cis_rule_5_4_2_2: {{ rhel9cis_rule_5_4_2_2 }}
rhel9cis_rule_5_4_2_3: {{ rhel9cis_rule_5_4_2_3 }}
rhel9cis_rule_5_4_2_4: {{ rhel9cis_rule_5_4_2_4 }}
rhel9cis_rule_5_4_2_5: {{ rhel9cis_rule_5_4_2_5 }}
rhel9cis_rule_5_4_2_6: {{ rhel9cis_rule_5_4_2_6 }}
rhel9cis_rule_5_4_2_7: {{ rhel9cis_rule_5_4_2_7 }}
rhel9cis_rule_5_4_2_8: {{ rhel9cis_rule_5_4_2_8 }}
# 5.4.2 Configure user default environment
rhel9cis_rule_5_4_3_1: {{ rhel9cis_rule_5_4_3_1 }}
rhel9cis_rule_5_4_3_2: {{ rhel9cis_rule_5_4_3_2 }}
rhel9cis_rule_5_4_3_3: {{ rhel9cis_rule_5_4_3_3 }}

# Section 6 Logging and Auditing
## 6.1 Configure Integrity Checking
rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }}
rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }}
rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }}
## 6.2.1 Configure systemd-journald service
rhel9cis_rule_6_2_1_1: {{ rhel9cis_rule_6_2_1_1 }}
rhel9cis_rule_6_2_1_2: {{ rhel9cis_rule_6_2_1_2 }}
rhel9cis_rule_6_2_1_3: {{ rhel9cis_rule_6_2_1_3 }}
rhel9cis_rule_6_2_1_4: {{ rhel9cis_rule_6_2_1_4 }}
## 6.2.2.x Configure journald
rhel9cis_rule_6_2_2_1_1: {{ rhel9cis_rule_6_2_2_1_1 }}
rhel9cis_rule_6_2_2_1_2: {{ rhel9cis_rule_6_2_2_1_2 }}
rhel9cis_rule_6_2_2_1_3: {{ rhel9cis_rule_6_2_2_1_3 }}
rhel9cis_rule_6_2_2_1_4: {{ rhel9cis_rule_6_2_2_1_4 }}
rhel9cis_rule_6_2_2_2: {{ rhel9cis_rule_6_2_2_2 }}
rhel9cis_rule_6_2_2_3: {{ rhel9cis_rule_6_2_2_3 }}
rhel9cis_rule_6_2_2_4: {{ rhel9cis_rule_6_2_2_4 }}
## 6.2.3 Configure rsyslog
rhel9cis_rule_6_2_3_1: {{ rhel9cis_rule_6_2_3_1 }}
rhel9cis_rule_6_2_3_2: {{ rhel9cis_rule_6_2_3_2 }}
rhel9cis_rule_6_2_3_3: {{ rhel9cis_rule_6_2_3_3 }}
rhel9cis_rule_6_2_3_4: {{ rhel9cis_rule_6_2_3_4 }}
rhel9cis_rule_6_2_3_5: {{ rhel9cis_rule_6_2_3_5 }}
rhel9cis_rule_6_2_3_6: {{ rhel9cis_rule_6_2_3_6 }}
rhel9cis_rule_6_2_3_7: {{ rhel9cis_rule_6_2_3_7 }}
rhel9cis_rule_6_2_3_8: {{ rhel9cis_rule_6_2_3_8 }}
## 6.2.4 Configure Logfiles
rhel9cis_rule_6_2_4_1: {{ rhel9cis_rule_6_2_4_1 }}
## 6.3 Configure Auditing
## 6.3.1 Configure auditd Service
rhel9cis_rule_6_3_1_1: {{ rhel9cis_rule_6_3_1_1 }}
rhel9cis_rule_6_3_1_2: {{ rhel9cis_rule_6_3_1_2 }}
rhel9cis_rule_6_3_1_3: {{ rhel9cis_rule_6_3_1_3 }}
rhel9cis_rule_6_3_1_4: {{ rhel9cis_rule_6_3_1_4 }}
## 6.3.2 Configure Data Retention
rhel9cis_rule_6_3_2_1: {{ rhel9cis_rule_6_3_2_1 }}
rhel9cis_rule_6_3_2_2: {{ rhel9cis_rule_6_3_2_2 }}
rhel9cis_rule_6_3_2_3: {{ rhel9cis_rule_6_3_2_3 }}
rhel9cis_rule_6_3_2_4: {{ rhel9cis_rule_6_3_2_4 }}
## 6.3.3 Configure auditd Rules
rhel9cis_rule_6_3_3_1: {{ rhel9cis_rule_6_3_3_1 }}
rhel9cis_rule_6_3_3_2: {{ rhel9cis_rule_6_3_3_2 }}
rhel9cis_rule_6_3_3_3: {{ rhel9cis_rule_6_3_3_3 }}
rhel9cis_rule_6_3_3_4: {{ rhel9cis_rule_6_3_3_4 }}
rhel9cis_rule_6_3_3_5: {{ rhel9cis_rule_6_3_3_5 }}
rhel9cis_rule_6_3_3_6: {{ rhel9cis_rule_6_3_3_6 }}
rhel9cis_rule_6_3_3_7: {{ rhel9cis_rule_6_3_3_7 }}
rhel9cis_rule_6_3_3_8: {{ rhel9cis_rule_6_3_3_8 }}
rhel9cis_rule_6_3_3_9: {{ rhel9cis_rule_6_3_3_9 }}
rhel9cis_rule_6_3_3_10: {{ rhel9cis_rule_6_3_3_10 }}
rhel9cis_rule_6_3_3_11: {{ rhel9cis_rule_6_3_3_11 }}
rhel9cis_rule_6_3_3_12: {{ rhel9cis_rule_6_3_3_12 }}
rhel9cis_rule_6_3_3_13: {{ rhel9cis_rule_6_3_3_13 }}
rhel9cis_rule_6_3_3_14: {{ rhel9cis_rule_6_3_3_14 }}
rhel9cis_rule_6_3_3_15: {{ rhel9cis_rule_6_3_3_15 }}
rhel9cis_rule_6_3_3_16: {{ rhel9cis_rule_6_3_3_16 }}
rhel9cis_rule_6_3_3_17: {{ rhel9cis_rule_6_3_3_17 }}
rhel9cis_rule_6_3_3_18: {{ rhel9cis_rule_6_3_3_18 }}
rhel9cis_rule_6_3_3_19: {{ rhel9cis_rule_6_3_3_19 }}
rhel9cis_rule_6_3_3_20: {{ rhel9cis_rule_6_3_3_20 }}
rhel9cis_rule_6_3_3_21: {{ rhel9cis_rule_6_3_3_21 }}
## 6.3.4 Configure auditd File Access
rhel9cis_rule_6_3_4_1: {{ rhel9cis_rule_6_3_4_1 }}
rhel9cis_rule_6_3_4_2: {{ rhel9cis_rule_6_3_4_2 }}
rhel9cis_rule_6_3_4_3: {{ rhel9cis_rule_6_3_4_3 }}
rhel9cis_rule_6_3_4_4: {{ rhel9cis_rule_6_3_4_4 }}
rhel9cis_rule_6_3_4_5: {{ rhel9cis_rule_6_3_4_5 }}
rhel9cis_rule_6_3_4_6: {{ rhel9cis_rule_6_3_4_6 }}
rhel9cis_rule_6_3_4_7: {{ rhel9cis_rule_6_3_4_7 }}
rhel9cis_rule_6_3_4_8: {{ rhel9cis_rule_6_3_4_8 }}
rhel9cis_rule_6_3_4_9: {{ rhel9cis_rule_6_3_4_9 }}
rhel9cis_rule_6_3_4_10: {{ rhel9cis_rule_6_3_4_10 }}

# Section 7 System Maintenance
## 7.1 System File Permissions
rhel9cis_rule_7_1_1: {{ rhel9cis_rule_7_1_1 }}
rhel9cis_rule_7_1_2: {{ rhel9cis_rule_7_1_2 }}
rhel9cis_rule_7_1_3: {{ rhel9cis_rule_7_1_3 }}
rhel9cis_rule_7_1_4: {{ rhel9cis_rule_7_1_4 }}
rhel9cis_rule_7_1_5: {{ rhel9cis_rule_7_1_5 }}
rhel9cis_rule_7_1_6: {{ rhel9cis_rule_7_1_6 }}
rhel9cis_rule_7_1_7: {{ rhel9cis_rule_7_1_7 }}
rhel9cis_rule_7_1_8: {{ rhel9cis_rule_7_1_8 }}
rhel9cis_rule_7_1_9: {{ rhel9cis_rule_7_1_9 }}
rhel9cis_rule_7_1_10: {{ rhel9cis_rule_7_1_10 }}
rhel9cis_rule_7_1_11: {{ rhel9cis_rule_7_1_11 }}
rhel9cis_rule_7_1_12: {{ rhel9cis_rule_7_1_12 }}
rhel9cis_rule_7_1_13: {{ rhel9cis_rule_7_1_13 }}
## 7.2 Local User and Group Settings
rhel9cis_rule_7_2_1: {{ rhel9cis_rule_7_2_1 }}
rhel9cis_rule_7_2_2: {{ rhel9cis_rule_7_2_2 }}
rhel9cis_rule_7_2_3: {{ rhel9cis_rule_7_2_3 }}
rhel9cis_rule_7_2_4: {{ rhel9cis_rule_7_2_4 }}
rhel9cis_rule_7_2_5: {{ rhel9cis_rule_7_2_5 }}
rhel9cis_rule_7_2_6: {{ rhel9cis_rule_7_2_6 }}
rhel9cis_rule_7_2_7: {{ rhel9cis_rule_7_2_7 }}
rhel9cis_rule_7_2_8: {{ rhel9cis_rule_7_2_8 }}
rhel9cis_rule_7_2_9: {{ rhel9cis_rule_7_2_9 }}

## Section 1 vars

## Control 1.4.1
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}

## Controls:
# - 1.7.1 - Ensure message of the day is configured properly
# - 1.7.2 - Ensure local login warning banner is configured properly
# - 1.7.3 - Ensure remote login warning banner is configured properly
# This variable  stores the content for the Warning Banner(relevant for issue, issue.net, motd).
rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
# End Banner

## Control 1.8.x - Settings for GDM
## 1.8 GDM graphical interface
rhel9cis_gui: {{ rhel9cis_gui }}

# This variable specifies the GNOME configuration database file to which configurations are written.
# (See "https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en")
# The default database is 'local'.
rhel9cis_dconf_db_name: {{ rhel9cis_dconf_db_name }}


## Section 2. Services

# Service configuration
# Options are
# Service
# - false - removes package
# - true - leaves package installed
# Mask
# - false - leaves service in current status
# - true - sets service name to masked
#
# Setting both Service and Mask to false will remove the package if exists
rhel9cis_autofs_services: {{ rhel9cis_autofs_services }}
rhel9cis_autofs_mask: {{ rhel9cis_autofs_mask }}
rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
rhel9cis_avahi_mask: {{ rhel9cis_avahi_mask }}
rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
rhel9cis_dhcp_mask: {{ rhel9cis_dhcp_mask }}
rhel9cis_dns_server: {{ rhel9cis_dns_server }}
rhel9cis_dns_mask: {{ rhel9cis_dns_mask }}
rhel9cis_dnsmasq_server: {{ rhel9cis_dnsmasq_server }}
rhel9cis_dnsmasq_mask: {{ rhel9cis_dnsmasq_mask }}
rhel9cis_samba_server: {{ rhel9cis_samba_server }}
rhel9cis_samba_mask: {{ rhel9cis_samba_mask }}
rhel9cis_ftp_server: {{ rhel9cis_ftp_server }}
rhel9cis_ftp_mask: {{ rhel9cis_ftp_mask }}
rhel9cis_message_server: {{ rhel9cis_message_server }}  # This is for messaging dovecot and cyrus-imap
rhel9cis_message_mask: {{ rhel9cis_message_mask }}
rhel9cis_nfs_server: {{ rhel9cis_nfs_server }}
rhel9cis_nfs_mask: {{ rhel9cis_nfs_mask }}
rhel9cis_nis_server: {{ rhel9cis_nis_server }}  # set to mask if nis client required
rhel9cis_nis_mask: {{ rhel9cis_nis_mask }}
rhel9cis_print_server: {{ rhel9cis_print_server }}  # replaces cups
rhel9cis_print_mask: {{ rhel9cis_print_mask }}
rhel9cis_rpc_server: {{ rhel9cis_rpc_server }}
rhel9cis_rpc_mask: {{ rhel9cis_rpc_mask }}
rhel9cis_rsync_server: {{ rhel9cis_rsync_server }}
rhel9cis_rsync_mask: {{ rhel9cis_rsync_mask }}
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
rhel9cis_snmp_mask: {{ rhel9cis_snmp_mask }}
rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
rhel9cis_telnet_mask: {{ rhel9cis_telnet_mask }}
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
rhel9cis_tftp_mask: {{ rhel9cis_tftp_mask }}
rhel9cis_squid_server: {{ rhel9cis_squid_server }}
rhel9cis_squid_mask: {{ rhel9cis_squid_mask }}
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
rhel9cis_httpd_mask: {{ rhel9cis_httpd_mask }}
rhel9cis_nginx_server: {{ rhel9cis_nginx_server }}
rhel9cis_nginx_mask: {{ rhel9cis_nginx_mask }}
rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }}
rhel9cis_xinetd_mask: {{ rhel9cis_xinetd_mask }}
rhel9cis_xwindow_server: {{ rhel9cis_xwindow_server }}  # will remove mask not an option
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}

## Section 2.3 Service clients

rhel9cis_ftp_client: {{ rhel9cis_ftp_client }}
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}  # Same package as NIS server
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}

## Section 3 vars
## Sysctl
# Service configuration
# Options are
# Service
# - false - removes package
# - true - leaves package installed
# Mask
# - false - leaves service in current status
# - true - sets service name to masked
#
# Setting both Service and Mask to false will remove the package if exists
#
rhel9cis_bluetooth_service: {{ rhel9cis_bluetooth_service }}
rhel9cis_bluetooth_mask: {{ rhel9cis_bluetooth_mask }}

## 3.1 IPv6 requirement toggle
# This variable governs whether ipv6 is enabled or disabled.
rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}

# 3.3 System network parameters (host only OR host and router)
# This variable governs whether specific CIS rules
# concerned with acceptance and routing of packages are skipped.
rhel9cis_is_router: {{ rhel9cis_is_router }}

# Section 4 vars
### Firewall Service to install and configure - Options are:
# 1) either 'firewalld'
# 2) or 'nftables'
#### Some control allow for services to be removed or masked
#### The options are under each heading
#### absent = remove the package
#### masked = leave package if installed and mask the service
rhel9cis_firewall: {{ rhel9cis_firewall }}

## Section5 vars

## Section 5.1 - SSH

## Controls:
## - 5.1.7  - Ensure SSH access is limited
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
# access for users whose user name matches one of the patterns. This is done
# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
rhel9cis_sshd_allowusers: "{% if ansible_facts.user_id != 'root' %}{{ ansible_facts.user_id }}{% elif ansible_env.SUDO_USER is defined %}{{ ansible_env.SUDO_USER }}{% endif %}"

# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
rhel9cis_sshd_allowgroups: {{ rhel9cis_sshd_allowgroups }}

# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
# for users whose user name matches one of the patterns. This is done
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
rhel9cis_sshd_denyusers: {{ rhel9cis_sshd_denyusers }}

# This variable, if specified, configures a list of GROUP name patterns, separated by spaces,
# to prevent SSH access for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
rhel9cis_sshd_denygroups: {{ rhel9cis_sshd_denygroups }}

## Control 5.2.x - Ensure sudo log file exists
# By default, sudo logs through syslog(3). However, to specify a custom log file, the
# 'logfile' parameter will be used, setting it with current variable's value.
# This variable defines the path and file name of the sudo log file.
rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }}

## Control 5.2.4
# This will leave NOPASSWD intact for these users
rhel9cis_sudoers_exclude_nopasswd_list:
  - ec2-user
  - vagrant

## Control 5.2 - Ensure access to the 'su' command is restricted
# This variable determines the name of the group of users that are allowed to use the su command.
# CIS requires that such a group be CREATED(named according to site policy) and be kept EMPTY.
rhel9cis_sugroup: {{ rhel9cis_sugroup }}

# Control 5.3.3.2
# Choose if using minclass or credits options
# Options are: minclass or credits
# ensure only one is selected
rhel9cis_passwd_complex_option: {{ rhel9cis_passwd_complex_option }}

## Section 5.4.1.x: Shadow Password Suite Parameters
  ## Control 5.4.1.1 - Ensure password expiration is 365 days or less
  # This variable governs after how many days a password expires.
  # CIS requires a value of 365 or less.
rhel9cis_pass_max_days: 365
  ## Control 5.4.1.2 - Ensure minimum days between password changes is 7 or more
  # This variable specifies the minimum number of days allowed between changing
  # passwords. CIS requires a value of at least 1.
rhel9cis_pass_min_days: 7
  ## Control 5.4.1.3 - Ensure password expiration warning days is 7 or more
  # This variable governs, how many days before a password expires, the user will be warned.
  # CIS requires a value of at least 7.
rhel9cis_pass_warn_age: 7

## PAM AND Authselect

# This variable configures the name of the custom profile to be created and selected.
# To be changed from default - cis_example_profile
rhel9cis_authselect_custom_profile_name: {{ rhel9cis_authselect_custom_profile_name }}

### Controls:
# - 5.6.2 -  Ensure system accounts are secured
# - 6.2.10 - Ensure local interactive user home directories exist
# - 6.2.11 - Ensure local interactive users own their home directories
# UID settings for interactive users
# These are discovered via logins.def if set true
rhel9cis_discover_int_uid: {{ rhel9cis_discover_int_uid }}
# This variable sets the minimum number from which to search for UID
# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
# been set to `true`.
min_int_uid: 1000
### Controls:
# - Ensure local interactive user home directories exist
# - Ensure local interactive users own their home directories
# This variable sets the maximum number at which the search stops for UID
# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
# been set to `true`.
max_int_uid: 65533

## Section6 vars

## Control 6.1.2 AIDE schedule
# how aide scheduler runs can be one of cron or timer
rhel9cis_aide_scan: {{ rhel9cis_aide_scan }}

# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
# The sub-settings of this variable provide the parameters required to configure
# the cron job on the target system.
# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
# and executed automatically at a certain point in time.
rhel9cis_aide_cron:
  # This variable represents the user account under which the cron job for AIDE will run.
  cron_user: root
  # This variable represents the path to the AIDE crontab file.
  cron_file: /etc/cron.d/aide_cron
  # This variable represents the actual command or script that the cron job
  # will execute for running AIDE.
  aide_job: '/usr/sbin/aide --check'
  # These variables define the schedule for the cron job
  # This variable governs the minute of the time of day when the AIDE cronjob is run.
  # It must be in the range `0-59`.
  aide_minute: 0
  # This variable governs the hour of the time of day when the AIDE cronjob is run.
  # It must be in the range `0-23`.
  aide_hour: 5
  # This variable governs the day of the month when the AIDE cronjob is run.
  # `*` signifies that the job is run on all days; furthermore, specific days
  # can be given in the range `1-31`; several days can be concatenated with a comma.
  # The specified day(s) can must be in the range  `1-31`.
  aide_day: '*'
  # This variable governs months when the AIDE cronjob is run.
  # `*` signifies that the job is run in every month; furthermore, specific months
  # can be given in the range `1-12`; several months can be concatenated with commas.
  # The specified month(s) can must be in the range  `1-12`.
  aide_month: '*'
  # This variable governs the weekdays, when the AIDE cronjob is run.
  # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
  # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
  # can be concatenated with commas.
  aide_weekday: '*'
#
## Preferred method of logging
## Whether rsyslog or journald preferred method for local logging
## Control 6.2.3 | Configure rsyslog
## Control 6.2.1 | Configure journald
# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation)
# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best
# practices are written wholly independent of each other.
rhel9cis_syslog: {{ rhel9cis_syslog }}

## Control 6.2.2.x & 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client
# This variable expresses whether the system is used as a log server or not. If set to:
#  - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts.
#  - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity
# from local attacks on remote clients)
rhel9cis_system_is_log_server: {{ rhel9cis_system_is_log_server }}

## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
# This variable governs if 'rsyslog' service should be automatically configured to forward messages to a
# remote log server. If set to 'false', the configuration of the 'omfwd' plugin, used to provide forwarding
# over UDP or TCP, will not be performed.
rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }}

## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
# This variable configures the value of the 'target' parameter to be configured when enabling
# forwarding syslog messages to a remote log server, thus configuring the actual FQDN/IP address of the
# destination server. For this value to be reflected in the configuration, the variable which enables the
# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }}').
rhel9cis_remote_log_host: {{ rhel9cis_remote_log_host }}

## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
# This variable configures the value of the 'port' parameter to be configured when enabling
# forwarding syslog messages to a remote log server. The default value for this destination port is 514.
# For this value to be reflected in the configuration, the variable which enables the
# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }}').
rhel9cis_remote_log_port: {{ rhel9cis_remote_log_port }}

## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
# This variable configures the value("TCP"/"UDP") of the 'protocol' parameter to be configured when enabling
# forwarding syslog messages to a remote log server. The default value for the 'omfwd' plug-in is UDP.
# For this value to be reflected in the configuration, the variable which enables the
# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }}').
rhel9cis_remote_log_protocol: {{ rhel9cis_remote_log_protocol }}

## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
# This variable governs how often an action is retried(value is passed to 'action.resumeRetryCount' parameter) before
# it is considered to have failed(that roughly translates to discarded messages). The default value is 0, but
# when set to "-1"(eternal), this setting would prevent rsyslog from dropping messages when retrying to connect
# if server is not responding. For this value to be reflected in the configuration, the variable which enables the
# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }}').
rhel9cis_remote_log_retrycount: {{ rhel9cis_remote_log_retrycount }}

## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host
# This variable configures the maximum number of messages that can be hold(value is passed to 'queue.size' parameter).
# For this value to be reflected in the configuration, the variable which enables the automatic configuration
# of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }}').
rhel9cis_remote_log_queuesize: {{ rhel9cis_remote_log_queuesize }}

## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
#  URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
#  number may be specified after a colon (":"), otherwise 19532 will be used by default.
rhel9cis_journal_upload_url: {{ rhel9cis_journal_upload_url }}

## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the private key file used by the remote journal
# server to authenticate itself to the client. This key is used alongside the server's
# public certificate to establish secure communication.
rhel9cis_journal_upload_serverkeyfile: {{ rhel9cis_journal_upload_serverkeyfile }}

## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the public certificate file of the remote journal
# server. This certificate is used to verify the authenticity of the remote server.
rhel9cis_journal_servercertificatefile: {{ rhel9cis_journal_servercertificatefile }}

## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to a file containing one or more public certificates
# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
# to validate the authenticity of the remote server's certificate.
rhel9cis_journal_trustedcertificatefile: {{ rhel9cis_journal_trustedcertificatefile }}

# Section 7 Vars

# 7.1.12 Ensure no files or directories without an owner and a group exist
rhel9cis_exclude_unowned_search_path: \( ! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*" \)