sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

rename snmp var

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-09 13:13:35 +01:00
parent 265423eb0a
commit 89345c12f8
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
2 changed files with 13 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

15
defaults/main.yml
View file

@ -666,8 +666,8 @@ rhel9cis_rpc_server: true
rhel9cis_rpc_mask: true rhel9cis_rpc_mask: true
rhel9cis_rsync_server: false rhel9cis_rsync_server: false
rhel9cis_rsync_mask: false rhel9cis_rsync_mask: false
rhel9cis_net_snmp_server: false rhel9cis_snmp_server: false
rhel9cis_net_snmp_mask: false rhel9cis_snmp_mask: false
rhel9cis_telnet_server: false rhel9cis_telnet_server: false
rhel9cis_telnet_mask: false rhel9cis_telnet_mask: false
rhel9cis_tftp_server: false rhel9cis_tftp_server: false
@ -965,19 +965,18 @@ rhel9cis_pamd_pwhistory_remember: 24
rhel9cis_passwd_hash_algo: sha512 # pragma: allowlist secret rhel9cis_passwd_hash_algo: sha512 # pragma: allowlist secret
## Section 5.4.1.x: Shadow Password Suite Parameters ## Section 5.4.1.x: Shadow Password Suite Parameters
rhel9cis_pass:
## Control 5.6.1.1 - Ensure password expiration is 365 days or less ## Control 5.6.1.1 - Ensure password expiration is 365 days or less
# This variable governs after how many days a password expires. # This variable governs after how many days a password expires.
# CIS requires a value of 365 or less. # CIS requires a value of 365 or less.
max_days: 365 rhel9cis_pass_max_days: 365
## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more ## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more
# This variable specifies the minimum number of days allowed between changing # This variable specifies the minimum number of days allowed between changing
# passwords. CIS requires a value of at least 1. # passwords. CIS requires a value of at least 1.
min_days: 7 rhel9cis_pass_min_days: 7
## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more ## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more
# This variable governs, how many days before a password expires, the user will be warned. # This variable governs, how many days before a password expires, the user will be warned.
# CIS requires a value of at least 7. # CIS requires a value of at least 7.
warn_age: 7 rhel9cis_pass_warn_age: 7
## Control 5.4.1.x - Ensure inactive password lock is 30 days or less ## Control 5.4.1.x - Ensure inactive password lock is 30 days or less
rhel9cis_inactivelock: rhel9cis_inactivelock:
@ -1052,6 +1051,10 @@ max_int_uid: 65533
rhel9cis_config_aide: true rhel9cis_config_aide: true
## Control 6.1.2 AIDE cron settings ## Control 6.1.2 AIDE cron settings
## How the aide schedule is run either cron or timer
rhel9cis_aide_scan: cron
# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
# The sub-settings of this variable provide the parameters required to configure # The sub-settings of this variable provide the parameters required to configure
# the cron job on the target system. # the cron job on the target system.

8
tasks/section_2/cis_2.1.x.yml
View file

@ -461,16 +461,16 @@
block: block:
- name: "2.1.14 | PATCH | Ensure snmp services are not in use | Remove package" - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Remove package"
when: when:
- not rhel9cis_net_snmp_server - not rhel9cis_snmp_server
- not rhel9cis_net_snmp_mask - not rhel9cis_snmp_mask
ansible.builtin.package: ansible.builtin.package:
name: net-snmp name: net-snmp
state: absent state: absent
- name: "2.1.14 | PATCH | Ensure snmp services are not in use | Mask service" - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Mask service"
when: when:
- not rhel9cis_net_snmp_server - not rhel9cis_snmp_server
- rhel9cis_net_snmp_mask - rhel9cis_snmp_mask
notify: Systemd_daemon_reload notify: Systemd_daemon_reload
ansible.builtin.systemd: ansible.builtin.systemd:
name: snmpd.service name: snmpd.service