updated controls

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

defaults/main.yml

@@ -36,6 +36,9 @@ benchmark: RHEL9-CIS
 # Whether to skip the reboot
 skip_reboot: true
 
+# default value will change to true but wont reboot if not enabled but will error
+change_requires_reboot: false
+
 #### Basic external goss audit enablement settings ####
 #### Precise details - per setting can be found at the bottom of this file ####
 
@@ -345,7 +348,7 @@ rhel9cis_rule_6_2_4: true
 rhel9cis_rule_6_2_5: true
 rhel9cis_rule_6_2_6: true
 rhel9cis_rule_6_2_7: true
-rhel9cis_rule_6_2_8: false
+rhel9cis_rule_6_2_8: true
 rhel9cis_rule_6_2_9: true
 rhel9cis_rule_6_2_10: true
 rhel9cis_rule_6_2_11: true
@@ -355,46 +358,19 @@ rhel9cis_rule_6_2_14: true
 rhel9cis_rule_6_2_15: true
 rhel9cis_rule_6_2_16: true
 
-# Service configuration booleans set true to keep service
-rhel9cis_avahi_server: false
-rhel9cis_cups_server: false
-rhel9cis_dhcp_server: false
-rhel9cis_ldap_server: false
-rhel9cis_telnet_server: false
-rhel9cis_nfs_server: false
-rhel9cis_rpc_server: false
-rhel9cis_ntalk_server: false
-rhel9cis_rsyncd_server: false
-rhel9cis_tftp_server: false
-rhel9cis_rsh_server: false
-rhel9cis_nis_server: false
-rhel9cis_snmp_server: false
-rhel9cis_squid_server: false
-rhel9cis_smb_server: false
-rhel9cis_dovecot_server: false
-rhel9cis_httpd_server: false
-rhel9cis_vsftpd_server: false
-rhel9cis_named_server: false
-rhel9cis_nfs_rpc_server: false
-rhel9cis_is_mail_server: false
-rhel9cis_bind: false
-rhel9cis_vsftpd: false
-rhel9cis_httpd: false
-rhel9cis_dovecot: false
-rhel9cis_samba: false
-rhel9cis_squid: false
-rhel9cis_net_snmp: false
-rhel9cis_allow_autofs: false
 
 ## Section 1 vars
 
-# 1.1.2
+#### 1.1.2
 # These settings go into the /etc/fstab file for the /tmp mount settings
 # The value must contain nosuid,nodev,noexec to conform to CIS standards
 # rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"
 # If set true uses the tmp.mount service else using fstab configuration
 rhel9cis_tmp_svc: false
 
+#### 1.1.9
+rhel9cis_allow_autofs: false
+
 # 1.2.1
 # This is the login information for your RedHat Subscription
 # DO NOT USE PLAIN TEXT PASSWORDS!!!!!
@@ -407,17 +383,15 @@ rhel9cis_rh_sub_password: password
 # RedHat Satellite Subscription items
 rhel9cis_rhnsd_required: false
 
-# 1.3.3 var log location variable
-rhel9cis_varlog_location: "/var/log/sudo.log"
 
-# xinetd required
-rhel9cis_xinetd_required: false
+
 
 # 1.4.2 Bootloader password
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
 rhel9cis_bootloader_password: random
 rhel9cis_set_boot_pass: false
 
+
 # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
 # Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS.
 rhel9cis_crypto_policy: "FUTURE"
@@ -433,7 +407,7 @@ rhel9cis_config_aide: true
 # AIDE cron settings
 rhel9cis_aide_cron:
     cron_user: root
-    cron_file: /etc/cron.d/aide.cron
+    cron_file: /etc/cron.d/aide_cron
     aide_job: '/usr/sbin/aide --check'
     aide_minute: 0
     aide_hour: 5
@@ -445,92 +419,124 @@ rhel9cis_aide_cron:
 rhel9cis_selinux_pol: targeted
 
 # Whether or not to run tasks related to auditing/patching the desktop environment
-rhel9cis_gui: false
 
-# Set to 'true' if X Windows is needed in your environment
-rhel9cis_xwindows_required: false
+## 2. Services
 
-rhel9cis_openldap_clients_required: false
-rhel9cis_telnet_required: false
-rhel9cis_talk_required: false
-rhel9cis_rsh_required: false
-rhel9cis_ypbind_required: false
 
-# 2.2.1.1 Time Synchronization - Either chrony or ntp
-rhel9cis_time_synchronization: chrony
-
-# 2.2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
+### 2.1 Time Synchronization
+#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
 rhel9cis_time_synchronization_servers:
     - 0.pool.ntp.org
     - 1.pool.ntp.org
     - 2.pool.ntp.org
     - 3.pool.ntp.org
-
 rhel9cis_chrony_server_options: "minpoll 8"
-rhel9cis_ntp_server_options: "iburst"
+
+### 2.2 Special Purposes
+##### Service configuration booleans set true to keep service
+rhel9cis_xinetd_server: false
+rhel9cis_gui: false
+rhel9cis_avahi_server: false
+rhel9cis_cups_server: false
+rhel9cis_dhcp_server: false
+rhel9cis_dns_server: false
+rhel9cis_ftp_server: false
+rhel9cis_vsftpd_server: false
+rhel9cis_tftp_server: false
+rhel9cis_httpd_server: false
+rhel9cis_nginx_server: false
+rhel9cis_dovecot_cyrus_server: false
+rhel9cis_samba_server: false
+rhel9cis_squid_server: false
+rhel9cis_snmp_server: false
+rhel9cis_nis_server: false
+rhel9cis_telnet_server: false
+rhel9cis_is_mail_server: false
+rhel9cis_nfs_server: false
+rhel9cis_rpc_server: false
+rhel9cis_rsync_server: false
+
+#### 2.3 Service clients
+rhel9cis_ypbind_required: false
+rhel9cis_rsh_required: false
+rhel9cis_talk_required: false
+rhel9cis_telnet_required: false
+rhel9cis_openldap_clients_required: false
+rhel9cis_tftp_client: false
+
 
 ## Section3 vars
-# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured
-rhel9cis_host_allow:
-    - "10.0.0.0/255.0.0.0"
-    - "172.16.0.0/255.240.0.0"
-    - "192.168.0.0/255.255.0.0"
-
-# Firewall Service - either firewalld, iptables, or nftables
+### Firewall Service - either firewalld, iptables, or nftables
 rhel9cis_firewall: firewalld
 
-# 3.4.2.4 Default zone setting
+##### firewalld
 rhel9cis_default_zone: public
-
-# 3.4.2.5 Zone and Interface setting
-rhel9cis_int_zone: customezone
+rhel9cis_int_zone: customzone
 rhel9cis_interface: eth0
-
 rhel9cis_firewall_services:
     - ssh
     - dhcpv6-client
 
-# 3.4.3.2 Set nftables new table create
+#### nftables
 rhel9cis_nft_tables_autonewtable: true
 rhel9cis_nft_tables_tablename: filter
-
-# 3.4.3.3 Set nftables new chain create
 rhel9cis_nft_tables_autochaincreate: true
 
+#### iptables
+
 # Warning Banner Content (issue, issue.net, motd)
 rhel9cis_warning_banner: |
     Authorized uses only. All activity may be monitored and reported.
 # End Banner
 
 ## Section4 vars
-
+### 4.1 Configure System Accounting
+#### 4.1.2 Configure Data Retention
 rhel9cis_auditd:
     space_left_action: email
     action_mail_acct: root
     admin_space_left_action: halt
     max_log_file_action: keep_logs
 
-rhel9cis_logrotate: "daily"
-
 # The audit_back_log_limit value should never be below 8192
 rhel9cis_audit_back_log_limit: 8192
 
 # The max_log_file parameter should be based on your sites policy
 rhel9cis_max_log_file_size: 10
 
-# RHEL-09-4.2.1.4/4.2.1.5 remote and destation log server name
+#### 4.2.1.6 remote and destation log server name
 rhel9cis_remote_log_server: logagg.example.com
 
-# RHEL-09-4.2.1.5
+#### 4.2.1.7
 rhel9cis_system_is_log_server: false
 
+# 4.2.2.1.2
+# rhel9cis_journal_upload_url is the ip address to upload the journal entries to
+rhel9cis_journal_upload_url: 192.168.50.42
+# The paths below have the default paths/files, but allow user to create custom paths/filenames
+rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
+rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
+rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
+
+# 4.2.2.1
+# The variables below related to journald, please set these to your site specific values
+# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use
+rhel9cis_journald_systemmaxuse: 10M
+# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free
+rhel9cis_journald_systemkeepfree: 100G
+rhel9cis_journald_runtimemaxuse: 10M
+rhel9cis_journald_runtimekeepfree: 100G
+# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
+rhel9cis_journald_maxfilesec: 1month
+
+#### 4.3
+rhel9cis_logrotate: "daily"
+
 ## Section5 vars
 
 rhel9cis_sshd:
     clientalivecountmax: 0
     clientaliveinterval: 900
-    ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
-    macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
     logingracetime: 60
     # WARNING: make sure you understand the precedence when working with these values!!
     # allowusers:
@@ -553,9 +559,10 @@ rhel9cis_ssh_maxsessions: 4
 rhel9cis_inactivelock:
     lock_days: 30
 
+
+rhel9cis_use_authconfig: false
 # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example
 # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk
-rhel9cis_use_authconfig: false
 rhel9cis_authselect:
     custom_profile_name: custom-profile
     default_file_to_copy: "sssd --symlink-meta"
@@ -591,6 +598,11 @@ discover_int_uid: false
 min_int_uid: 1000
 max_int_uid: 65533
 
+# 5.3.3 var log location variable
+rhel9cis_sudolog_location: "/var/log/sudo.log"
+
+#### 5.3.6
+rhel9cis_sudo_timestamp_timeout: 15
 
 # RHEL-09-5.4.5
 # Session timeout setting file (TMOUT setting can be set in multiple files)

group_vars/docker

@@ -1,28 +0,0 @@
----
-ansible_user: root
-# AIDE cron settings
-rhel9cis_aide_cron:
-  cron_user: root
-  cron_file: /var/spool/cron/root
-  aide_job: '/usr/sbin/aide --check'
-  aide_minute: 0
-  aide_hour: 5
-  aide_day: '*'
-  aide_month: '*'
-  aide_weekday: '*'
-
-rhel9cis_sshd:
-    clientalivecountmax: 3
-    clientaliveinterval: 300
-    ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
-    macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
-    logingracetime: 60
-    # - make sure you understand the precedence when working with these values!!
-    allowusers: vagrant
-    allowgroups: vagrant
-    denyusers: root
-    denygroups: root
-
-# Workarounds for Docker
-rhel9cis_skip_for_travis: true
-rhel9cis_selinux_disable: true

group_vars/vagrant

@@ -1,28 +0,0 @@
----
-ansible_user: vagrant
-# AIDE cron settings
-rhel9cis_aide_cron:
-  cron_user: root
-  cron_file: /var/spool/cron/root
-  aide_job: '/usr/sbin/aide --check'
-  aide_minute: 0
-  aide_hour: 5
-  aide_day: '*'
-  aide_month: '*'
-  aide_weekday: '*'
-
-rhel9cis_sshd:
-    clientalivecountmax: 3
-    clientaliveinterval: 300
-    ciphers: 'aes256-ctr,aes192-ctr,aes128-ctr'
-    macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
-    logingracetime: 60
-    # - make sure you understand the precedence when working with these values!!
-    allowusers: vagrant
-    allowgroups: vagrant
-    denyusers: root
-    denygroups: root
-
-# Vagrant can touch code that Docker cannot
-rhel9cis_skip_for_travis: false
-rhel9cis_selinux_disable: false

handlers/main.yml

@@ -76,12 +76,6 @@
       name: firewalld
       state: restarted
 
-- name: restart xinetd
-  become: true
-  service:
-      name: xinetd
-      state: restarted
-
 - name: restart sshd
   become: true
   service:
@@ -135,12 +129,20 @@
       name: rsyslog
       state: restarted
 
-- name: restart syslog-ng
-  become: true
+- name: restart journald
   service:
-      name: syslog-ng
+      name: systemd-journald
+      state: restarted
+
+- name: restart systemd_journal_upload
+  service:
+      name: systemd-journal-upload
       state: restarted
 
 - name: systemd_daemon_reload
   systemd:
       daemon-reload: true
+
+- name: change_requires_reboot
+  set_fact:
+      change_requires_reboot: true

tasks/main.yml

@@ -112,9 +112,11 @@
   - rhel9cis_section6
   tags:
   - rule_5.5.2
-  - rule_6.2.7
-  - rule_6.2.8
-  - rule_6.2.20
+  - rule_5.6.2
+  - rule_6.2.9
+  - rule_6.2.10
+  - rule_6.2.11
+  - rhel9cis_section5
   - rhel9cis_section6
 
 - name: run Section 1 tasks

tasks/post.yml

@@ -66,7 +66,30 @@
 - name: flush handlers
   meta: flush_handlers
 
-- name: Reboot host
+- name: POST | reboot system if changes require it and not skipped
+  block:
+      - name: POST | Reboot system if changes require it and not skipped
         reboot:
         when:
+            - change_requires_reboot
             - not skip_reboot
+
+      - name: POST | Warning a reboot required but skip option set
+        debug:
+            msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
+        changed_when: true
+        when:
+            - change_requires_reboot
+            - skip_reboot
+  tags:
+      - grub
+      - level1-server
+      - level1-workstation
+      - level2-server
+      - level2-workstation
+      - rhel9cis_section1
+      - rhel9cis_section2
+      - rhel9cis_section3
+      - rhel9cis_section4
+      - rhel9cis_section5
+      - rhel9cis_section6

tasks/prelim.yml

@@ -32,8 +32,9 @@
       warn: false
   changed_when: false
   check_mode: false
-  register: uid_zero_accounts_except_root
+  register: rhel9cis_uid_zero_accounts_except_root
   tags:
+      - rule_6.2.8
       - level1-server
       - level1-workstation
       - users
@@ -144,6 +145,19 @@
       - authconfig
       - auditd
 
+- name: "PRELIM | 5.3.4 | Find all sudoers files."
+  command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: rhel9cis_sudoers_files
+  when:
+      - rhel9cis_rule_5_3_4 or
+        rhel9cis_rule_5_3_5
+  tags:
+      - rule_5.3.4
+      - rule_5.3.5
+
 - name: "PRELIM | Set facts based on boot type"
   block:
       - name: "PRELIM | Check whether machine is UEFI-based"

tasks/section_2/cis_2.1.x.yml

@@ -2,11 +2,11 @@
 
 - name: "2.1.1 | PATCH | Ensure time synchronization is in use"
   package:
-      name: "{{ rhel9cis_time_synchronization }}"
+      name: chrony
       state: present
   when:
       - rhel9cis_rule_2_1_1
-      - not rhel9cis_system_is_container
+      - not system_is_container
   tags:
       - level1-server
       - level1-workstation
@@ -18,7 +18,7 @@
   block:
       - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration"
         template:
-            src: chrony.conf.j2
+            src: etc/chrony.conf.j2
             dest: /etc/chrony.conf
             owner: root
             group: root
@@ -33,9 +33,8 @@
             create: yes
             mode: 0644
   when:
-      - rhel9cis_time_synchronization == "chrony"
       - rhel9cis_rule_2_1_2
-      - not rhel9cis_system_is_container
+      - not system_is_container
   tags:
       - level1-server
       - level1-workstation

tasks/section_3/cis_3.2.x.yml

@@ -17,7 +17,7 @@
             - update sysctl
         when: rhel9cis_ipv6_required
   when:
-      - rhel9cis_rule_3.2.1
+      - rhel9cis_rule_3_2_1
   tags:
       - level1-server
       - level1-workstation
@@ -42,7 +42,7 @@
             - update sysctl
         when: rhel9cis_ipv6_required
   when:
-      - rhel9cis_rule_3.2.2
+      - rhel9cis_rule_3_2_2
   tags:
       - level1-server
       - level1-workstation

tasks/section_3/cis_3.3.x.yml

@@ -17,7 +17,7 @@
             - update sysctl
         when: rhel9cis_ipv6_required
   when:
-      - rhel9cis_rule_3.3.1
+      - rhel9cis_rule_3_3_1
   tags:
       - level1-server
       - level1-workstation
@@ -42,7 +42,7 @@
             - update sysctl
         when: rhel9cis_ipv6_required
   when:
-      - rhel9cis_rule_3.3.2
+      - rhel9cis_rule_3_3_2
   tags:
       - level1-server
       - level1-workstation
@@ -55,7 +55,7 @@
     msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
   notify: update sysctl
   when:
-      - rhel9cis_rule_3.3.3
+      - rhel9cis_rule_3_3_3
   tags:
       - level1-server
       - level1-workstation
@@ -68,7 +68,7 @@
     msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
   notify: update sysctl
   when:
-      - rhel9cis_rule_3.3.4
+      - rhel9cis_rule_3_3_4
   tags:
       - level1-server
       - level1-workstation
@@ -81,7 +81,7 @@
     msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
   notify: update sysctl
   when:
-      - rhel9cis_rule_3.3.5
+      - rhel9cis_rule_3_3_5
   tags:
       - level1-server
       - level1-workstation
@@ -94,7 +94,7 @@
     msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
   notify: update sysctl
   when:
-      - rhel9cis_rule_3.3.6
+      - rhel9cis_rule_3_3_6
   tags:
       - level1-server
       - level1-workstation
@@ -107,7 +107,7 @@
     msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
   notify: update sysctl
   when:
-      - rhel9cis_rule_3.3.7
+      - rhel9cis_rule_3_3_7
   tags:
       - level1-server
       - level1-workstation
@@ -120,7 +120,7 @@
     msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
   notify: update sysctl
   when:
-      - rhel9cis_rule_3.3.8
+      - rhel9cis_rule_3_3_8
   tags:
       - level1-server
       - level1-workstation
@@ -146,7 +146,7 @@
         when: rhel9cis_ipv6_required
   when:
       - rhel9cis_ipv6_required
-      - rhel9cis_rule_3.3.9
+      - rhel9cis_rule_3_3_9
   tags:
       - level2-server
       - level2-workstation

tasks/section_3/cis_3.4.1.x.yml

@@ -22,7 +22,6 @@
       - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services"
         systemd:
             name: "{{ item }}"
-            enabled: false
             masked: true
         with_items:
             - iptables

tasks/section_3/main.yml

@@ -1,41 +1,35 @@
 ---
 
-- name: "SECTION | 3.1.x | Packet and IP redirection"
+- name: "SECTION | 3.1.x | Disable unused network protocols and devices"
   import_tasks: cis_3.1.x.yml
 
 - name: "SECTION | 3.2.x | Network Parameters (Host Only)"
   import_tasks: cis_3.2.x.yml
 
-- name: "SECTION | 3.3.x | Uncommon Network Protocols"
+- name: "SECTION | 3.3.x | Network Parameters (host and Router)"
   import_tasks: cis_3.3.x.yml
 
-- name: "SECTION | 3.4.1.x | firewall defined"
-  import_tasks: cis_3.4.1.1.yml
-
-- name: "SECTION | 3.4.2.x | firewalld firewall"
-  include_tasks: cis_3.4.2.x.yml
+- name: "SECTION | 3.4.1.x | Configure firewalld"
+  import_tasks: cis_3.4.1.x.yml
   when:
   - rhel9cis_firewall == "firewalld"
 
-- name: "SECTION | 3.4.3.x | Configure nftables firewall"
-  include_tasks: cis_3.4.3.x.yml
+- name: "SECTION | 3.4.2.x | Configure nftables"
+  include_tasks: cis_3.4.2.x.yml
   when:
   - rhel9cis_firewall == "nftables"
 
-- name: "SECTION | 3.4.4.1.x | Configure iptables IPv4"
-  include_tasks: cis_3.4.4.1.x.yml
+- name: "SECTION | 3.4.3.1.x | Configure iptables"
+  include_tasks: cis_3.4.3.1.x.yml
   when:
   - rhel9cis_firewall == "iptables"
 
-- name: "SECTION | 3.4.4.2.x | Configure iptables IPv6"
-  include_tasks: cis_3.4.4.2.x.yml
+- name: "SECTION | 3.4.3.2.x | Configure iptables IPv4"
+  include_tasks: cis_3.4.3.2.x.yml
+  when:
+  - rhel9cis_firewall == "iptables"
+
+- name: "SECTION | 3.4.3.3.x | Configure iptables IPv6"
+  include_tasks: cis_3.4.3.3.x.yml
   when:
   - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required )
-
-- name: "SECTION | 3.5 | Configure wireless"
-  import_tasks: cis_3.5.yml
-
-- name: "SECTION | 3.5 | disable IPv6"
-  include_tasks: cis_3.5.yml
-  when:
-  - not rhel9cis_ipv6_required

tasks/section_4/main.yml

@@ -9,7 +9,7 @@
   import_tasks: cis_4.1.2.x.yml
 
 - name: "SECTION | 4.1.3 | Configure Auditd rules"
-  import_tasks: cis_4.1.x.yml
+  import_tasks: cis_4.1.3.x.yml
 
 - name: "SECTION | 4.2 | Configure Logging"
   import_tasks: cis_4.2.1.x.yml

tasks/section_5/cis_5.3.x.yml

@@ -33,7 +33,7 @@
   lineinfile:
       dest: /etc/sudoers
       regexp: '^Defaults    logfile='
-      line: 'Defaults    logfile="{{ rhel9cis_varlog_location }}"'
+      line: 'Defaults    logfile="{{ rhel9cis_sudolog_location }}"'
       state: present
   when:
       - rhel9cis_rule_5_3_3

tasks/section_5/cis_5.5.x.yml

@@ -13,7 +13,7 @@
             - item.id != "sync"
             - item.id != "shutdown"
             - item.id != "halt"
-            - rhel9cis_int_gid | int > item.gid
+            - min_int_uid | int > item.gid
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
 
@@ -28,7 +28,7 @@
             - item.id != "shutdown"
             - item.id != "sync"
             - item.id != "root"
-            - rhel9cis_int_gid | int > item.gid
+            - min_int_uid | int > item.gid
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
   when:

tasks/section_5/cis_5.6.x.yml

@@ -13,7 +13,7 @@
             - item.id != "sync"
             - item.id != "shutdown"
             - item.id != "halt"
-            - rhel9cis_int_gid | int < item.gid
+            - min_int_uid | int < item.gid
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
         loop_control:
@@ -30,7 +30,7 @@
             - item.id != "shutdown"
             - item.id != "sync"
             - item.id != "root"
-            - rhel9cis_int_gid | int < item.gid
+            - min_int_uid | int < item.gid
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
         loop_control:

tasks/section_6/cis_6.2.x.yml

@@ -230,7 +230,7 @@
         stat:
             path: "{{ item }}"
         register: rhel_08_6_2_9_audit
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
 
       - name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
         command: find -H {{ item.0 | quote }} -not -type l -perm /027
@@ -270,7 +270,7 @@
             recursive: yes
             etype: "{{ item.1.etype }}"
             permissions: "{{ item.1.mode }}"
-        when: not rhel9cis_system_is_container
+        when: not system_is_container
         with_nested:
             - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results |
               rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
@@ -299,13 +299,13 @@
   loop_control:
       label: "{{ rhel9cis_passwd_label }}"
   when:
-      - item.uid >= rhel9cis_int_gid
+      - min_int_uid | int <= item.uid
       - rhel9cis_rule_6_2_10
   tags:
       - skip_ansible_lint  # settings found on 6_2_7
       - level1-server
       - level1-workstation
-      - autoamted
+      - automated
       - patch
       - users
       - rule_6.2.10
@@ -315,7 +315,7 @@
       - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
         stat:
             path: "{{ item }}"
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
         register: rhel_08_6_2_11_audit
 
       - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
@@ -356,7 +356,7 @@
             recursive: yes
             etype: "{{ item.1.etype }}"
             permissions: "{{ item.1.mode }}"
-        when: not rhel9cis_system_is_container
+        when: not system_is_container
         with_nested:
             - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results |
               rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"

templates/ansible_vars_goss.yml.j2

@@ -281,39 +281,36 @@ rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }}
 rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
 rhel9cis_cups_server: {{ rhel9cis_cups_server }}
 rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
-rhel9cis_ldap_server: {{ rhel9cis_ldap_server }}
+rhel9cis_dns_server: {{ rhel9cis_dns_server }}
+rhel9cis_ftp_server: {{ rhel9cis_ftp_server }}
+rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
+rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
+rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
+rhel9cis_nginx_server: {{ rhel9cis_nginx_server }}
+rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }}
+rhel9cis_samba_server: {{ rhel9cis_samba_server }}
+rhel9cis_squid_server: {{ rhel9cis_squid_server }}
+rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
+rhel9cis_nis_server: {{ rhel9cis_nis_server }}
 rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
+rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
 rhel9cis_nfs_server: {{ rhel9cis_nfs_server }}
 rhel9cis_rpc_server: {{ rhel9cis_rpc_server }}
-rhel9cis_ntalk_server: {{ rhel9cis_ntalk_server }}
-rhel9cis_rsyncd_server: {{ rhel9cis_rsyncd_server }}
-rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
-rhel9cis_rsh_server: {{ rhel9cis_rsh_server }}
-rhel9cis_nis_server: {{ rhel9cis_nis_server }}
-rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
-rhel9cis_squid_server: {{ rhel9cis_squid_server }}
-rhel9cis_smb_server: {{ rhel9cis_smb_server }}
-rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }}
-rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
-rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
-rhel9cis_named_server: {{ rhel9cis_named_server }}
-rhel9cis_nfs_rpc_server: {{ rhel9cis_nfs_rpc_server }}
-rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
-rhel9cis_bind: {{ rhel9cis_bind }}
-rhel9cis_vsftpd: {{ rhel9cis_vsftpd }}
-rhel9cis_httpd: {{ rhel9cis_httpd }}
-rhel9cis_dovecot: {{ rhel9cis_dovecot }}
-rhel9cis_samba: {{ rhel9cis_samba }}
-rhel9cis_squid: {{ rhel9cis_squid }}
-rhel9cis_net_snmp: {{ rhel9cis_net_snmp}}
+rhel9cis_rsync_server: {{ rhel9cis_rsync_server }}
+
+
 rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }}
 
 # client services
-rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
-rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
-rhel9cis_talk_required: {{ rhel9cis_talk_required }}
-rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
 rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
+rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
+rhel9cis_talk_required: {{ rhel9cis_talk_required }}
+rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
+rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
+rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}
+
+
+
 
 # AIDE
 rhel9cis_config_aide: {{ rhel9cis_config_aide }}
@@ -343,14 +340,12 @@ rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }}
 rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
 # End Banner
 
-# Set to 'true' if X Windows is needed in your environment
-rhel9cis_xwindows_required: {{ rhel9cis_xwindows_required }}
 
 # Whether or not to run tasks related to auditing/patching the desktop environment
 rhel9cis_gui: {{ rhel9cis_gui }}
 
 # xinetd required
-rhel9cis_xinetd_required: {{ rhel9cis_xinetd_required }}
+rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }}
 
 # IPv6 required
 rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
@@ -358,10 +353,6 @@ rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
 # System network parameters (host only OR host and router)
 rhel9cis_is_router: {{ rhel9cis_is_router }}
 
-# Time Synchronization
-rhel9cis_time_synchronization: {{ rhel9cis_time_synchronization }}
-
-rhel9cis_varlog_location: {{ rhel9cis_varlog_location }}
 
 rhel9cis_firewall: {{ rhel9cis_firewall }}
 #rhel9cis_firewall: iptables
@@ -373,7 +364,6 @@ rhel9cis_firewall_interface:
 rhel9cis_firewall_services: {{ rhel9cis_firewall_services }}
 
 
-
 ### Section 4
 ## auditd settings
 rhel9cis_auditd:
@@ -395,45 +385,11 @@ rhel9cis_sshd_access:
   DenyUser:
   DenyGroup:
 
-rhel9cis_ssh_strong_ciphers:  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-rhel9cis_ssh_weak_ciphers:
-  3des-cbc
-  aes128-cbc
-  aes192-cbc
-  aes256-cbc
-  arcfour
-  arcfour128
-  arcfour256
-  blowfish-cbc
-  cast128-cbc 
-  rijndael-cbc@lysator.liu.se
-
-rhel9cis_ssh_strong_macs:  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256
-rhel9cis_ssh_weak_macs:
-  hmac-md5 
-  hmac-md5-96 
-  hmac-ripemd160 
-  hmac-sha1
-  hmac-sha1-96 
-  umac-64@openssh.com 
-  umac-128@openssh.com 
-  hmac-md5-etm@openssh.com 
-  hmac-md5-96-etm@openssh.com 
-  hmac-ripemd160-etm@openssh.com 
-  hmac-sha1-etm@openssh.com 
-  hmac-sha1-96-etm@openssh.com 
-  umac-64-etm@openssh.com 
-  umac-128-etm@openssh.com
-
-rhel9cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
-rhel9cis_ssh_weak_kex: 
-  diffie-hellman-group1-sha1 
-  diffie-hellman-group14-sha1 
-  diffie-hellman-group-exchange-sha1
-
 rhel9cis_ssh_aliveinterval: "300"
 rhel9cis_ssh_countmax: "3"
 
+rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }}
+
 ## PAM
 rhel9cis_pam_password: 
   minlen: {{ rhel9cis_pam_password.minlen }}

templates/audit/99_auditd.rules.j2

@@ -1,14 +1,14 @@
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
 {% if rhel9cis_rule_4_1_3_1 %}
 -w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope
+-w /etc/sudoers.d -p wa -k scope
 {% endif %}
 {% if rhel9cis_rule_4_1_3_2 %}
 -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
 -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
 {% endif %}
 {% if rhel9cis_rule_4_1_3_3 %}
--w {{ rhel9cis_varlog_location }} -p wa -k sudo_log_file
+-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
 {% endif %}
 {% if rhel9cis_rule_4_1_3_4 %}
 -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
@@ -26,14 +26,14 @@
 {% endif %}
 {% if rhel9cis_rule_4_1_3_6 %}
 {% for proc in priv_procs.stdout_lines -%}
--a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged
+-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged
 {% endfor %}
 {% endif %}
 {% if rhel9cis_rule_4_1_3_7 %}
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=-4294967295 -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
 {% endif %}
 {% if rhel9cis_rule_4_1_3_8 %}
 -w /etc/group -p wa -k identity
@@ -43,16 +43,16 @@
 -w /etc/security/opasswd -p wa -k identity
 {% endif %}
 {% if rhel9cis_rule_4_1_3_9 %}
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
 {% endif %}
 {% if rhel9cis_rule_4_1_3_10 %}
--a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
--a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
+-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
 {% endif %}
 {% if rhel9cis_rule_4_1_3_11 %}
 -w /var/run/utmp -p wa -k session
@@ -64,29 +64,30 @@
 -w /var/run/faillock -p wa -k logins
 {% endif %}
 {% if rhel9cis_rule_4_1_3_13 %}
--a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
--a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
+-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
 {% endif %}
 {% if rhel9cis_rule_4_1_3_14 %}
--w /etc/selinux/ -p wa -k MAC-policy
--w /usr/share/selinux/ -p wa -k MAC-policy
+-w /etc/selinux -p wa -k MAC-policy
+-w /usr/share/selinux -p wa -k MAC-policy
 {% endif %}
 {% if rhel9cis_rule_4_1_3_15 %}
--a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_4_1_3_16 %}
--a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_4_1_3_17 %}
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k priv_cmd
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k priv_cmd
 {% endif %}
 {% if rhel9cis_rule_4_1_3_18 %}
--a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k usermod
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod
 {% endif %}
 {% if rhel9cis_rule_4_1_3_19 %}
--a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules
--a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules
+-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
+-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
 {% endif %}
 {% if rhel9cis_rule_4_1_3_20 %}
 -e 2
+
 {% endif %}

templates/hosts.allow.j2

@@ -1,11 +0,0 @@
-#
-# hosts.allow	This file contains access rules which are used to
-#		allow or deny connections to network services that
-#		either use the tcp_wrappers library or that have been
-#		started through a tcp_wrappers-enabled xinetd.
-#
-#		See 'man 5 hosts_options' and 'man 5 hosts_access'
-#		for information on rule syntax.
-#		See 'man tcpd' for information on tcp_wrappers
-#
-ALL: {% for iprange in rhel9cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %}

templates/ntp.conf.j2

@@ -1,59 +0,0 @@
-# For more information about this file, see the man pages
-# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
-
-driftfile /var/lib/ntp/drift
-
-# Permit time synchronization with our time source, but do not
-# permit the source to query or modify the service on this system.
-#restrict default nomodify notrap nopeer noquery
-restrict -4 default kod nomodify notrap nopeer noquery
-restrict -6 default kod nomodify notrap nopeer noquery
-
-# Permit all access over the loopback interface.  This could
-# be tightened as well, but to do so would effect some of
-# the administrative functions.
-restrict 127.0.0.1
-restrict ::1
-
-# Hosts on local network are less restricted.
-#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
-
-# Use public servers from the pool.ntp.org project.
-# Please consider joining the pool (http://www.pool.ntp.org/join.html).
-{% for server in rhel9cis_time_synchronization_servers -%}
-server {{ server }} {{ rhel9cis_ntp_server_options }}
-{% endfor %}
-
-#broadcast 192.168.1.255 autokey        # broadcast server
-#broadcastclient                        # broadcast client
-#broadcast 224.0.1.1 autokey            # multicast server
-#multicastclient 224.0.1.1              # multicast client
-#manycastserver 239.255.254.254         # manycast server
-#manycastclient 239.255.254.254 autokey # manycast client
-
-# Enable public key cryptography.
-#crypto
-
-includefile /etc/ntp/crypto/pw
-
-# Key file containing the keys and key identifiers used when operating
-# with symmetric key cryptography.
-keys /etc/ntp/keys
-
-# Specify the key identifiers which are trusted.
-#trustedkey 4 8 42
-
-# Specify the key identifier to use with the ntpdc utility.
-#requestkey 8
-
-# Specify the key identifier to use with the ntpq utility.
-#controlkey 8
-
-# Enable writing of statistics records.
-#statistics clockstats cryptostats loopstats peerstats
-
-# Disable the monitoring facility to prevent amplification attacks using ntpdc
-# monlist command when default restrict does not include the noquery flag. See
-# CVE-2013-5211 for more details.
-# Note: Monitoring will not be disabled with the limited restriction flag.
-disable monitor

vars/is_container.yml

@@ -6,8 +6,6 @@
 
 ## controls
 
-# Authconfig
-rhel9cis_use_authconfig: false
 
 # Firewall
 rhel9cis_firewall: None