RHEL9-CIS/vars/main.yml

---
# vars file for RHEL9-CIS

min_ansible_version: 2.10.1
rhel9cis_allowed_crypto_policies:
  - 'DEFAULT'
  - 'FUTURE'
  - 'FIPS'

rhel9cis_allowed_crypto_policies_modules:
  - 'OSPP'
  - 'AD-SUPPORT'
  - 'AD-SUPPORT-LEGACY'
  - 'NO-SHA1'
  - 'NO-SSHCBC'
  - 'NO-SSHETM'
  - 'NO-SSHWEAKCIPHER'
  - 'NO-SSHWEAKMAC'
  - 'NO-WEAKMAC'

# Used to control warning summary
warn_control_list: ""
warn_count: 0

gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"

## Control 6.3.3.x - Audit template
# This variable governs if the auditd logic should be executed(if value is true).
# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules').
update_audit_template: false

# Defaults
## Usage on containerized images
# The role discovers dynamically (in tasks/main.yml) whether it
# is executed on a container image and sets the variable
# system_is_container the true. Otherwise, the default value
# 'false' is left unchanged.
system_is_container: false
# The filename of the existing yml file in role's  'vars/' sub-directory
# to be used for managing the role-behavior when a container was detected:
# (de)activating rules or for other tasks(e.g. disabling Selinux or a specific
# firewall-type).
container_vars_file: is_container.yml
# rhel9cis is left off the front of this var for consistency in testing pipeline
# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
system_is_ec2: false

# Aide initiate command for new DB creation
aide_initiate_command: aideinit -y -f

# Audit vars
audit_bins:
  - /sbin/auditctl
  - /sbin/aureport
  - /sbin/ausearch
  - /sbin/autrace
  - /sbin/auditd
  - /sbin/augenrules
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`---`
			`# vars file for RHEL9-CIS`
Fix in logic for Alma (#4) * container standards Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on handlers Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial container ignore Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and containder discovery Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on auditd task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and crypto logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * distro update for rocky Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * system_is_container updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ssh pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logrotate pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic in container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up crypto step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added missing tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * container vars file now a variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added uid discovery and usage Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Updated OS checks and conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed empty become Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * change audit to include task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added OS_specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated import/include Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * OS Specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changed_when Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed UID logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed reboot var Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed skip_reboot var name Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * masked only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed CentOS Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-02-02 11:25:03 +00:00
fixed version Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-27 12:21:26 +00:00			`min_ansible_version: 2.10.1`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`rhel9cis_allowed_crypto_policies:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:01:40 +01:00			`- 'DEFAULT'`
			`- 'FUTURE'`
			`- 'FIPS'`
added warning count Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-07-20 17:13:33 +01:00
rule_1.10 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-06-06 14:36:38 +01:00			`rhel9cis_allowed_crypto_policies_modules:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:01:40 +01:00			`- 'OSPP'`
			`- 'AD-SUPPORT'`
			`- 'AD-SUPPORT-LEGACY'`
			`- 'NO-SHA1'`
			`- 'NO-SSHCBC'`
			`- 'NO-SSHETM'`
			`- 'NO-SSHWEAKCIPHER'`
			`- 'NO-SSHWEAKMAC'`
			`- 'NO-WEAKMAC'`
rule_1.10 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-06-06 14:36:38 +01:00
added warning count Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-07-20 17:13:33 +01:00			`# Used to control warning summary`
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 12:10:18 +00:00			`warn_control_list: ""`
Add blank row Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-07-25 11:24:50 +01:00			`warn_count: 0`
created new gpg_key_package variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-03-06 11:21:08 +00:00
Feb24 updates (#179) * change logic thanks to @rjacobs1990 see #175 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @ipruteani-sie #134 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Thanks to @stwongst #125 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @sgomez86 #146 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added updates from #115 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed rp_filter in post added in error Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated yamllint precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated fqcn fo json_query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo for virt type query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-02-20 15:43:43 +00:00			`gpg_key_package: "{{ ansible_facts.distribution \| lower }}-gpg-keys"`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:01:40 +01:00
			`## Control 6.3.3.x - Audit template`
			`# This variable governs if the auditd logic should be executed(if value is true).`
			`# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules').`
			`update_audit_template: false`
tidy up and realign Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-08-09 13:14:56 +01:00
			`# Defaults`
			`## Usage on containerized images`
			`# The role discovers dynamically (in tasks/main.yml) whether it`
			`# is executed on a container image and sets the variable`
			`# system_is_container the true. Otherwise, the default value`
			`# 'false' is left unchanged.`
			`system_is_container: false`
			`# The filename of the existing yml file in role's 'vars/' sub-directory`
			`# to be used for managing the role-behavior when a container was detected:`
			`# (de)activating rules or for other tasks(e.g. disabling Selinux or a specific`
			`# firewall-type).`
			`container_vars_file: is_container.yml`
			`# rhel9cis is left off the front of this var for consistency in testing pipeline`
			`# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks`
			`system_is_ec2: false`
aide variablizing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-10 16:45:49 +00:00
			`# Aide initiate command for new DB creation`
			`aide_initiate_command: aideinit -y -f`

			`# Audit vars`
			`audit_bins:`
			`- /sbin/auditctl`
			`- /sbin/aureport`
			`- /sbin/ausearch`
			`- /sbin/autrace`
			`- /sbin/auditd`
			`- /sbin/augenrules`