Initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

templates/ansible_vars_goss.yml.j2

@@ -0,0 +1,474 @@
+## metadata for Audit benchmark
+benchmark_version: '1.0.1'
+
+# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
+is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %}
+
+rhel9cis_os_distribution: {{ ansible_distribution | lower }}
+
+# timeout for each command to run where set - default = 10seconds/10000ms
+timeout_ms: {{ audit_cmd_timeout }}
+
+# Taken from LE rhel9-cis
+rhel9cis_notauto: {{ rhel9cis_notauto }}
+rhel9cis_section1: {{ rhel9cis_section1 }}
+rhel9cis_section2: {{ rhel9cis_section2 }}
+rhel9cis_section3: {{ rhel9cis_section3 }}
+rhel9cis_section4: {{ rhel9cis_section4 }}
+rhel9cis_section5: {{ rhel9cis_section5 }}
+rhel9cis_section6: {{ rhel9cis_section6 }}
+
+rhel9cis_level_1: {{ rhel9cis_level_1 }}
+rhel9cis_level_2: {{ rhel9cis_level_2 }}
+
+rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }}
+
+
+
+# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy
+run_heavy_tests: true
+{% if rhel9cis_legacy_boot is defined %}
+rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }}
+{% endif %}
+
+
+rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
+# These variables correspond with the CIS rule IDs or paragraph numbers defined in
+# the CIS benchmark documents.
+# PLEASE NOTE: These work in coordination with the section # group variables and tags.
+# You must enable an entire section in order for the variables below to take effect.
+# Section 1 rules
+rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }}
+rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }}
+rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }}
+rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }}
+rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }}
+rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }}
+rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }}
+rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }}
+rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }}
+rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }}
+rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }}
+rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }}
+rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }}
+rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }}
+rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }}
+rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }}
+rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }}
+rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }}
+rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }}
+rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }}
+rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }}
+rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }}
+rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }}
+rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }}
+rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }}
+rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }}
+rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %}  # Only run if Redhat and Subscribed
+rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }}
+rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }}
+rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }}
+rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }}
+rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }}
+rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
+rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
+rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
+rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
+rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
+rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
+rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }}
+rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }}
+rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }}
+rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }}
+rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }}
+rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }}
+rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }}
+rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }}
+rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }}
+rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }}
+rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }}
+rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }}
+rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }}
+rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }}
+rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }}
+rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }}
+rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
+rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
+rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }}
+rhel9cis_rule_1_11: {{ rhel9cis_rule_1_11 }}
+
+# section 2 rules
+rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }}
+rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }}
+rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }}
+rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }}
+rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }}
+rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }}
+rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }}
+rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }}
+rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }}
+rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }}
+rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }}
+rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }}
+rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }}
+rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }}
+rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }}
+rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }}
+rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }}
+rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }}
+rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }}
+rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }}
+rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }}
+rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }}
+rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }}
+
+
+# Section 3 rules
+rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
+rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
+rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
+rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
+rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }}
+rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }}
+rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }}
+rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }}
+rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }}
+rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }}
+rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }}
+rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }}
+rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }}
+rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }}
+rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }}
+rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }}
+rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }}
+rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }}
+rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }}
+rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }}
+rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }}
+rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }}
+rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }}
+rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }}
+
+
+# Section 4 rules
+rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }}
+rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }}
+rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }}
+rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }}
+rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }}
+rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }}
+rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }}
+rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }}
+rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }}
+rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }}
+rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }}
+rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }}
+rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }}
+rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }}
+rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }}
+rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }}
+rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }}
+rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }}
+rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }}
+rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }}
+rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }}
+rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }}
+rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }}
+rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }}
+rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }}
+rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }}
+rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }}
+rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }}
+rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }}
+rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }}
+rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }}
+rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }}
+rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }}
+
+# Section 5
+rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }}
+rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }}
+rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }}
+rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }}
+rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }}
+rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }}
+rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }}
+rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }}
+
+rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }}
+rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }}
+rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }}
+rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }}
+rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }}
+rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }}
+rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }}
+rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }}
+rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }}
+rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }}
+rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }}
+rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }}
+rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }}
+rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }}
+rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }}
+rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }}
+rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }}
+rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }}
+rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }}
+rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }}
+
+rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }}
+rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }}
+rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }}
+
+rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }}
+rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }}
+rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }}
+rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }}
+
+rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }}
+rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }}
+rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }}
+rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }}
+rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }}
+
+rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }}
+rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }}
+rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }}
+rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }}
+
+rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }}
+rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }}
+
+# Section 6
+rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }}
+rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }}
+rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }}
+rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }}
+rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }}
+rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }}
+rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }}
+rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }}
+rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }}
+rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }}
+rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }}
+rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }}
+rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }}
+rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }}
+
+rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }}
+rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }}
+rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }}
+rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }}
+rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }}
+rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }}
+rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }}
+rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }}
+rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }}
+rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }}
+rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }}
+rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }}
+rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }}
+rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }}
+rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }}
+rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }}
+rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }}
+rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }}
+rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }}
+rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }}
+
+
+# Service configuration booleans set true to keep service
+rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
+rhel9cis_cups_server: {{ rhel9cis_cups_server }}
+rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
+rhel9cis_ldap_server: {{ rhel9cis_ldap_server }}
+rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
+rhel9cis_nfs_server: {{ rhel9cis_nfs_server }}
+rhel9cis_rpc_server: {{ rhel9cis_rpc_server }}
+rhel9cis_ntalk_server: {{ rhel9cis_ntalk_server }}
+rhel9cis_rsyncd_server: {{ rhel9cis_rsyncd_server }}
+rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
+rhel9cis_rsh_server: {{ rhel9cis_rsh_server }}
+rhel9cis_nis_server: {{ rhel9cis_nis_server }}
+rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
+rhel9cis_squid_server: {{ rhel9cis_squid_server }}
+rhel9cis_smb_server: {{ rhel9cis_smb_server }}
+rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }}
+rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
+rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
+rhel9cis_named_server: {{ rhel9cis_named_server }}
+rhel9cis_nfs_rpc_server: {{ rhel9cis_nfs_rpc_server }}
+rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
+rhel9cis_bind: {{ rhel9cis_bind }}
+rhel9cis_vsftpd: {{ rhel9cis_vsftpd }}
+rhel9cis_httpd: {{ rhel9cis_httpd }}
+rhel9cis_dovecot: {{ rhel9cis_dovecot }}
+rhel9cis_samba: {{ rhel9cis_samba }}
+rhel9cis_squid: {{ rhel9cis_squid }}
+rhel9cis_net_snmp: {{ rhel9cis_net_snmp}}
+rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }}
+
+# client services
+rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
+rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
+rhel9cis_talk_required: {{ rhel9cis_talk_required }}
+rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
+rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
+
+# AIDE
+rhel9cis_config_aide: {{ rhel9cis_config_aide }}
+
+# aide setup via - cron, timer
+rhel9_aide_scan: cron
+
+# AIDE cron settings
+rhel9cis_aide_cron:
+  cron_user: {{ rhel9cis_aide_cron.cron_user }}
+  cron_file: '{{ rhel9cis_aide_cron.cron_file }}'
+  aide_job: ' {{ rhel9cis_aide_cron.aide_job }}'
+  aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}'
+  aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}'
+  aide_day: '{{ rhel9cis_aide_cron.aide_day }}'
+  aide_month: '{{ rhel9cis_aide_cron.aide_month }}'
+  aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}'
+
+# 1.5.1 Bootloader password
+rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }}
+rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }}
+
+# 1.10 crypto
+rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }}
+
+# Warning Banner Content (issue, issue.net, motd)
+rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
+# End Banner
+
+# Set to 'true' if X Windows is needed in your environment
+rhel9cis_xwindows_required: {{ rhel9cis_xwindows_required }}
+
+# Whether or not to run tasks related to auditing/patching the desktop environment
+rhel9cis_gui: {{ rhel9cis_gui }}
+
+# xinetd required
+rhel9cis_xinetd_required: {{ rhel9cis_xinetd_required }}
+
+# IPv6 required
+rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
+
+# System network parameters (host only OR host and router)
+rhel9cis_is_router: {{ rhel9cis_is_router }}
+
+# Time Synchronization
+rhel9cis_time_synchronization: {{ rhel9cis_time_synchronization }}
+
+rhel9cis_varlog_location: {{ rhel9cis_varlog_location }}
+
+rhel9cis_firewall: {{ rhel9cis_firewall }}
+#rhel9cis_firewall: iptables
+rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }}
+rhel9cis_firewall_interface: 
+- enp0s3 
+- enp0s8
+
+rhel9cis_firewall_services: {{ rhel9cis_firewall_services }}
+
+
+
+### Section 4
+## auditd settings
+rhel9cis_auditd:
+  space_left_action: {{ rhel9cis_auditd.space_left_action}}
+  action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }}
+  admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }}
+  max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }}
+  auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }}
+
+## syslog
+rhel9_cis_rsyslog: true
+
+### Section 5
+rhel9cis_sshd_limited: false
+#Note the following to understand precedence and layout
+rhel9cis_sshd_access:
+  AllowUser:
+  AllowGroup:
+  DenyUser:
+  DenyGroup:
+
+rhel9cis_ssh_strong_ciphers:  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+rhel9cis_ssh_weak_ciphers:
+  3des-cbc
+  aes128-cbc
+  aes192-cbc
+  aes256-cbc
+  arcfour
+  arcfour128
+  arcfour256
+  blowfish-cbc
+  cast128-cbc 
+  rijndael-cbc@lysator.liu.se
+
+rhel9cis_ssh_strong_macs:  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256
+rhel9cis_ssh_weak_macs:
+  hmac-md5 
+  hmac-md5-96 
+  hmac-ripemd160 
+  hmac-sha1
+  hmac-sha1-96 
+  umac-64@openssh.com 
+  umac-128@openssh.com 
+  hmac-md5-etm@openssh.com 
+  hmac-md5-96-etm@openssh.com 
+  hmac-ripemd160-etm@openssh.com 
+  hmac-sha1-etm@openssh.com 
+  hmac-sha1-96-etm@openssh.com 
+  umac-64-etm@openssh.com 
+  umac-128-etm@openssh.com
+
+rhel9cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+rhel9cis_ssh_weak_kex: 
+  diffie-hellman-group1-sha1 
+  diffie-hellman-group14-sha1 
+  diffie-hellman-group-exchange-sha1
+
+rhel9cis_ssh_aliveinterval: "300"
+rhel9cis_ssh_countmax: "3"
+
+## PAM
+rhel9cis_pam_password: 
+  minlen: {{ rhel9cis_pam_password.minlen }}
+  minclass: {{ rhel9cis_pam_password.minclass }}
+rhel9cis_pam_passwd_retry: "3"
+# faillock or tally2
+rhel9cis_accountlock: faillock
+
+## note this is to skip tests
+skip_rhel9cis_pam_passwd_auth: true
+skip_rhel9cis_pam_system_auth: true
+
+# choose one of below
+rhel9cis_pwhistory_so: "14"
+rhel9cis_unix_so: false
+rhel9cis_passwd_remember: "5"
+
+# logins.def password settings
+rhel9cis_pass:
+  max_days: {{ rhel9cis_pass.max_days }}
+  min_days: {{ rhel9cis_pass.min_days }}
+  warn_age: {{ rhel9cis_pass.warn_age }}
+
+# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example
+rhel9cis_authselect:
+  custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }}
+  default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }}
+  options: {{ rhel9cis_authselect.options }}
+
+# 5.3.1 Enable automation to creat custom profile settings, using the setings above
+rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }}
+
+# 5.3.2 Enable automation to select custom profile options, using the settings above
+rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }}
+
+# 5.7
+rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }}
+rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }}

templates/audit/99_auditd.rules.j2

@@ -0,0 +1,79 @@
+# File created initially via RHEL9 CIS ansible-lockdown remdiation role
+{% if rhel9cis_rule_4_1_3 %}
+-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope
+{% endif %}
+{% if rhel9cis_rule_4_1_4 %}
+-w /var/log/faillog -p wa -k logins 
+-w /var/log/lastlog -p wa -k logins
+{% endif %}
+{% if rhel9cis_rule_4_1_5 %}
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k logins
+-w /var/log/btmp -p wa -k logins
+{% endif %}
+{% if rhel9cis_rule_4_1_6 %}
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
+-a always,exit -F arch=b64 -S clock_settime -k time-change
+-a always,exit -F arch=b32 -S clock_settime -k time-change
+-w /etc/localtime -p wa -k time-change
+{% endif %}
+{% if rhel9cis_rule_4_1_7 %}
+-w /etc/selinux/ -p wa -k MAC-policy
+-w /usr/share/selinux/ -p wa -k MAC-policy
+{% endif %}
+{% if rhel9cis_rule_4_1_8 %}
+-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 
+-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+-w /etc/sysconfig/network -p wa -k system-locale
+{% endif %}
+{% if rhel9cis_rule_4_1_9 %}
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
+{% endif %}
+{% if rhel9cis_rule_4_1_10 %}
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
+{% endif %}
+{% if rhel9cis_rule_4_1_11 %}
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+{% endif %}
+{% if rhel9cis_rule_4_1_12 %}
+-a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
+{% endif %}
+{% if rhel9cis_rule_4_1_13 %}
+{% for proc in priv_procs.stdout_lines -%}
+-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged
+{% endfor %}
+{% endif %}
+{% if rhel9cis_rule_4_1_14 %}
+-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
+{% endif %}
+{% if rhel9cis_rule_4_1_15 %}
+-w /usr/sbin/insmod -p x -k modules
+-w /usr/sbin/rmmod -p x -k modules
+-w /usr/sbin/modprobe -p x -k modules
+-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
+{% endif %}
+{% if rhel9cis_rule_4_1_16 %}
+-w /var/log/sudo.log -p wa -k actions
+{% endif %}
+{% if rhel9cis_rule_4_1_17 %}
+-e 2
+{% endif %}

templates/chrony.conf.j2

@@ -0,0 +1,93 @@
+# This the default chrony.conf file for the Debian chrony package.  After
+# editing this file use the command 'invoke-rc.d chrony restart' to make
+# your changes take effect.  John Hasler <jhasler@debian.org> 1998-2008
+
+# See www.pool.ntp.org for an explanation of these servers.  Please
+# consider joining the project if possible.  If you can't or don't want to
+# use these servers I suggest that you try your ISP's nameservers.  We mark
+# the servers 'offline' so that chronyd won't try to connect when the link
+# is down.  Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc
+# commands to switch it on when a dialup link comes up and off when it goes
+# down.  Code in /etc/init.d/chrony attempts to determine whether or not
+# the link is up at boot time and set the online status accordingly.  If
+# you have an always-on connection such as cable omit the 'offline'
+# directive and chronyd will default to online.
+#
+# Note that if Chrony tries to go "online" and dns lookup of the servers
+# fails they will be discarded.  Thus under some circumstances it is
+# better to use IP numbers than host names.
+
+{% for server in rhel9cis_time_synchronization_servers -%}
+server {{ server }} {{ rhel9cis_chrony_server_options }}
+{% endfor %}
+
+# Look here for the admin password needed for chronyc.  The initial
+# password is generated by a random process at install time.  You may
+# change it if you wish.
+
+keyfile /etc/chrony/chrony.keys
+
+# Set runtime command key.  Note that if you change the key (not the
+# password) to anything other than 1 you will need to edit
+# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
+# and /etc/cron.weekly/chrony as these scripts use it to get the password.
+
+commandkey 1
+
+# I moved the driftfile to /var/lib/chrony to comply with the Debian
+# filesystem standard.
+
+driftfile /var/lib/chrony/chrony.drift
+
+# Comment this line out to turn off logging.
+
+log tracking measurements statistics
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+
+maxupdateskew 100.0
+
+# Dump measurements when daemon exits.
+
+dumponexit
+
+# Specify directory for dumping measurements.
+
+dumpdir /var/lib/chrony
+
+# Let computer be a server when it is unsynchronised.
+
+local stratum 10
+
+# Allow computers on the unrouted nets to use the server.
+
+#allow 10/8
+#allow 192.168/16
+#allow 172.16/12
+
+# This directive forces `chronyd' to send a message to syslog if it
+# makes a system clock adjustment larger than a threshold value in seconds.
+
+logchange 0.5
+
+# This directive defines an email address to which mail should be sent
+# if chronyd applies a correction exceeding a particular threshold to the
+# system clock.
+
+# mailonchange root@localhost 0.5
+
+# This directive tells chrony to regulate the real-time clock and tells it
+# Where to store related data.  It may not work on some newer motherboards
+# that use the HPET real-time clock.  It requires enhanced real-time
+# support in the kernel.  I've commented it out because with certain
+# combinations of motherboard and kernel it is reported to cause lockups.
+
+# rtcfile /var/lib/chrony/chrony.rtc
+
+# If the last line of this file reads 'rtconutc' chrony will assume that
+# the CMOS clock is on UTC (GMT).  If it reads '# rtconutc' or is absent
+# chrony will assume local time.  The line (if any) was written by the
+# chrony postinst based on what it found in /etc/default/rcS.  You may
+# change it if necessary.
+rtconutc

templates/etc/99-sysctl.conf.j2

@@ -0,0 +1,75 @@
+# Setting added via ansible CIS remediation playbook
+
+{% if rhel9cis_rule_1_6_1 %}
+# Filesystem sysctl
+# CIS 1.6.1
+fs.suid_dumpable = 0
+{% endif %}
+{% if rhel9cis_rule_1_6_2 %}
+# Kernel sysctl
+# CIS 1.6.2
+kernel.randomize_va_space = 2
+{% endif %}
+
+# Network sysctl
+{% if rhel9cis_rule_3_1_1 %}
+# CIS 3.1.1
+net.ipv4.ip_forward = 0
+{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %}
+net.ipv6.conf.all.forwarding = 0
+{% endif %}
+{% endif %}
+{% if rhel9cis_rule_3_1_2 %}
+# CIS 3.1.2
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+{% endif %}
+{% if rhel9cis_rule_3_2_1 %}
+# CIS 3.2.1
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %}
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+{% endif %}
+{% endif %}
+{% if rhel9cis_rule_3_2_2 %}
+# CIS 3.2.2
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+{% if rhel9cis_rule_3_2_2 and rhel9cis_ipv6_required %}
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+{% endif %}
+{% endif %}
+{% if rhel9cis_rule_3_2_3 %}
+# CIS 3.2.3
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+{% endif %}
+{% if rhel9cis_rule_3_2_4 %}
+# CIS 3.2.4
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+{% endif %}
+{% if rhel9cis_rule_3_2_5 %}
+# CIS 3.2.5
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+{% endif %}
+{% if rhel9cis_rule_3_2_6 %}
+# CIS 3.2.6
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+{% endif %}
+{% if rhel9cis_rule_3_2_7 %}
+# CIS 3.2.7
+net.ipv4.conf.default.rp_filter = 1
+{% endif %}
+{% if rhel9cis_rule_3_2_8 %}
+# CIS 3.2.8
+net.ipv4.tcp_syncookies = 1
+{% endif %}
+{% if rhel9cis_rule_3_2_9 %}
+# CIS 3.2.9
+net.ipv6.conf.all.accept_ra = 0
+net.ipv6.conf.default.accept_ra = 0
+{% endif %}

templates/etc/issue.j2

@@ -0,0 +1 @@
+{{ rhel9cis_warning_banner }}

templates/etc/issue.net.j2

@@ -0,0 +1 @@
+{{ rhel9cis_warning_banner }}

templates/etc/motd.j2

@@ -0,0 +1 @@
+{{ rhel9cis_warning_banner }}

templates/etc/systemd/system/tmp.mount.j2

@@ -0,0 +1,28 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Temporary Directory (/tmp)
+Documentation=man:hier(7)
+Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+ConditionPathIsSymbolicLink=!/tmp
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=swap.target
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_5 %}noexec{% endif %}
+
+# Make 'systemctl enable tmp.mount' work:
+[Install]
+WantedBy=local-fs.target

templates/hosts.allow.j2

@@ -0,0 +1,11 @@
+#
+# hosts.allow	This file contains access rules which are used to
+#		allow or deny connections to network services that
+#		either use the tcp_wrappers library or that have been
+#		started through a tcp_wrappers-enabled xinetd.
+#
+#		See 'man 5 hosts_options' and 'man 5 hosts_access'
+#		for information on rule syntax.
+#		See 'man tcpd' for information on tcp_wrappers
+#
+ALL: {% for iprange in rhel9cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %}

templates/ntp.conf.j2

@@ -0,0 +1,59 @@
+# For more information about this file, see the man pages
+# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
+
+driftfile /var/lib/ntp/drift
+
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+#restrict default nomodify notrap nopeer noquery
+restrict -4 default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+
+# Permit all access over the loopback interface.  This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1
+restrict ::1
+
+# Hosts on local network are less restricted.
+#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+{% for server in rhel9cis_time_synchronization_servers -%}
+server {{ server }} {{ rhel9cis_ntp_server_options }}
+{% endfor %}
+
+#broadcast 192.168.1.255 autokey        # broadcast server
+#broadcastclient                        # broadcast client
+#broadcast 224.0.1.1 autokey            # multicast server
+#multicastclient 224.0.1.1              # multicast client
+#manycastserver 239.255.254.254         # manycast server
+#manycastclient 239.255.254.254 autokey # manycast client
+
+# Enable public key cryptography.
+#crypto
+
+includefile /etc/ntp/crypto/pw
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography.
+keys /etc/ntp/keys
+
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
+
+# Enable writing of statistics records.
+#statistics clockstats cryptostats loopstats peerstats
+
+# Disable the monitoring facility to prevent amplification attacks using ntpdc
+# monlist command when default restrict does not include the noquery flag. See
+# CVE-2013-5211 for more details.
+# Note: Monitoring will not be disabled with the limited restriction flag.
+disable monitor