forked from ansible-lockdown/RHEL9-CIS
linting updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
4fc57c5a1f
commit
671ba154e7
13 changed files with 86 additions and 546 deletions
|
|
@ -858,10 +858,9 @@ rhel9cis_allow_authselect_updates: true
|
|||
##
|
||||
rhel9cis_authselect_pkg_update: false # NOTE the risks if system is using SSSD or using ipa-client-install
|
||||
|
||||
|
||||
## PAM AND Authselect
|
||||
|
||||
# To create a new profile (best for greenfield fresh sites not configured)
|
||||
# To create a new profile (best for greenfield fresh sites not configured)
|
||||
# This allows creation of a custom profile using an existing one to build from
|
||||
# will only create if profiel does not already exist
|
||||
## options true or false
|
||||
|
|
@ -914,9 +913,9 @@ rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf
|
|||
# Choose if using minclass or credits options
|
||||
# Options are: minclass or credits
|
||||
# ensure only one is selected
|
||||
rhel9cis_passwd_complex_option: minclass
|
||||
rhel9cis_passwd_complex_option: minclass # pragma: allowlist secret
|
||||
rhel9cis_passwd_minclass: 3
|
||||
#rhel9cis_passwd_complex: credits
|
||||
# rhel9cis_passwd_complex: credits
|
||||
rhel9cis_passwd_dcredit: -1
|
||||
rhel9cis_passwd_ucredit: -2
|
||||
rhel9cis_passwd_ocredit: 0
|
||||
|
|
@ -950,18 +949,17 @@ rhel9cis_pamd_pwhistory_remember: 24
|
|||
# 5.3.3.4.x
|
||||
rhel9cis_passwd_hash_algo: sha512 # pragma: allowlist secret
|
||||
|
||||
## Section 5.4.1.x: Shadow Password Suite Parameters
|
||||
## Control 5.6.1.1 - Ensure password expiration is 365 days or less
|
||||
# This variable governs after how many days a password expires.
|
||||
# CIS requires a value of 365 or less.
|
||||
## Control 5.6.1.1 - Ensure password expiration is 365 days or less
|
||||
# This variable governs after how many days a password expires.
|
||||
# CIS requires a value of 365 or less.
|
||||
rhel9cis_pass_max_days: 365
|
||||
## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more
|
||||
# This variable specifies the minimum number of days allowed between changing
|
||||
# passwords. CIS requires a value of at least 1.
|
||||
## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more
|
||||
# This variable specifies the minimum number of days allowed between changing
|
||||
# passwords. CIS requires a value of at least 1.
|
||||
rhel9cis_pass_min_days: 7
|
||||
## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more
|
||||
# This variable governs, how many days before a password expires, the user will be warned.
|
||||
# CIS requires a value of at least 7.
|
||||
## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more
|
||||
# This variable governs, how many days before a password expires, the user will be warned.
|
||||
# CIS requires a value of at least 7.
|
||||
rhel9cis_pass_warn_age: 7
|
||||
|
||||
## Control 5.4.1.x - Ensure inactive password lock is 30 days or less
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue