improvments v2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-08-07 10:30:08 +01:00 · 2024-08-07 10:30:08 +01:00 · 4f566974c9
commit 4f566974c9
parent 0fc418a222
15 changed files with 110 additions and 58 deletions
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
--- a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
@ -0,0 +1,7 @@
+# CIS Configurations
+# 5.3.3.2.3 Ensure password complexity is configured
+minclass = {{ rhel9cis_passwd_minclass }}
+dcredit = {{rhel9cis_passwd_dcredit }}
+ucredit = {{ rhel9cis_passwd_ucredit }}
+ocredit = {{ rhel9cis_passwd_ocredit }}
+lcredit = {{ rhel9cis_passwd_lcredit }}
--- a/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2
@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.6 Ensure password dictionary check is enabled
+dictcheck = {{ rhel9cis_passwd_dictcheck_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2
@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.1 Ensure password number of changed characters is configured
+difok = {{ rhel9cis_passwd_difok_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2
@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.2 Ensure minimum password length is configured
+minlen = {{ rhel9cis_passwd_minlen_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2
@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.5 Ensure password maximum sequential characters is configured
+maxsequence = {{ rhel9cis_passwd_maxsequence_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2
@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.7 Ensure password quality checking is enforced
+enforcing = {{ rhel9cis_passwd_quality_enforce_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2
@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.4 Ensure password same consecutive characters is configured
+maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2
@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.8 Ensure password quality is enforced for the root user
+{{ rhel9cis_passwd_quality_enforce_root_value }}
--- a/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
+++ b/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
@ -0,0 +1,4 @@
+# File created for CIS benchmark
+# CIS rule 6_2_2_2
+[Journal]
+ForwardToSyslog=no
--- a/templates/etc/systemd/journald.conf.d/rotation.conf.j2
+++ b/templates/etc/systemd/journald.conf.d/rotation.conf.j2
@ -0,0 +1,8 @@
+# File created for CIS benchmark
+# CIS rule 6_2_1_3
+[Journal]
+SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}
+SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}
+RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}
+RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}
+MaxFileSec={{ rhel9cis_journald_maxfilesec }}
--- a/templates/etc/systemd/journald.conf.d/storage.conf.j2
+++ b/templates/etc/systemd/journald.conf.d/storage.conf.j2
@ -0,0 +1,11 @@
+# File created for CIS benchmark
+[Journal]
+{% if rhel9cis_rule_6_2_2_3 %}
+# Set compress CIS rule 6_2_2_3
+Compress=yes
+{% endif %}
+
+{% if rhel9cis_rule_6_2_2_4 %}
+# Set persistent storage CIS rule 6_2_2_4
+Storage=persistent
+{% endif %}