--- # defaults file for rhel9-cis # WARNING: # These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable ## Usage on containerized images # The role discovers dynamically (in tasks/main.yml) whether it # is executed on a container image and sets the variable # system_is_container the true. Otherwise, the default value # 'false' is left unchanged. system_is_container: false # The filename of the existing yml file in role's 'vars/' sub-directory # to be used for managing the role-behavior when a container was detected: # (de)activating rules or for other tasks(e.g. disabling Selinux or a specific # firewall-type). container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false # Run the OS validation check # Supported OSs will not need for this to be changed - see README e.g. CentOS os_check: true # Disruption is high ## Run tests that are considered higher risk and could have a system impact if not properly tested ## Default false ## Will be fine if clean new unconfigured build rhel9cis_disruption_high: false ## Switching on/off specific baseline sections # These variables govern whether the tasks of a particular section are to be executed when running the role. # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. # If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: false rhel9cis_section4: false rhel9cis_section5: false rhel9cis_section6: false # This is used for audit purposes to run only specific level use the tags # e.g. # - level1-server # - level2-workstation rhel9cis_level_1: true rhel9cis_level_2: true ## Section 1.6 - Mandatory Access Control # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false # This variable is used in a preliminary task, handling grub2 paths either in case of # UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false ## Benchmark name used by audting control role # The audit variable found at the base ## metadata for Audit benchmark benchmark_version: 'v2.0.0' benchmark: RHEL9-CIS # Whether to skip the system reboot before audit # System will reboot if false, can give better audit results skip_reboot: true # default value will change to true but wont reboot if not enabled but will error change_requires_reboot: false ### ### Settings for associated Audit role using Goss ### ########################################### ### Goss is required on the remote host ### ### vars/auditd.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false # enable audits to run - this runs the audit and get the latest content run_audit: false # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true ## Only run Audit do not remediate audit_only: false ### As part of audit_only ### # This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false # Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node ############################# # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download ## if get_audit_binary_method - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path # how to get audit files onto host options # options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git # If using either archive, copy, get_url: ## Note will work with .tar files - zip will require extra configuration ### If using get_url this is expecting github url in tar.gz format e.g. ### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz audit_conf_source: "some path or url to copy from" # Destination for the audit content to be placed on managed node # note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory audit_conf_dest: "/opt" # Where the audit logs are stored audit_log_dir: '/opt' ### Goss Settings ## ####### END ######## # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) # Filesystem kernel modules rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_1_3: true rhel9cis_rule_1_1_1_4: true rhel9cis_rule_1_1_1_5: true rhel9cis_rule_1_1_1_6: true rhel9cis_rule_1_1_1_7: true rhel9cis_rule_1_1_1_8: true rhel9cis_rule_1_1_1_9: true # Filesystems # /tmp rhel9cis_rule_1_1_2_1_1: true rhel9cis_rule_1_1_2_1_2: true rhel9cis_rule_1_1_2_1_3: true rhel9cis_rule_1_1_2_1_4: true # /dev/shm rhel9cis_rule_1_1_2_2_1: true rhel9cis_rule_1_1_2_2_2: true rhel9cis_rule_1_1_2_2_3: true rhel9cis_rule_1_1_2_2_4: true # /home rhel9cis_rule_1_1_2_3_1: true rhel9cis_rule_1_1_2_3_2: true rhel9cis_rule_1_1_2_3_3: true # /var rhel9cis_rule_1_1_2_4_1: true rhel9cis_rule_1_1_2_4_2: true rhel9cis_rule_1_1_2_4_3: true # /var/tmp rhel9cis_rule_1_1_2_5_1: true rhel9cis_rule_1_1_2_5_2: true rhel9cis_rule_1_1_2_5_3: true rhel9cis_rule_1_1_2_5_4: true # /var/log rhel9cis_rule_1_1_2_6_1: true rhel9cis_rule_1_1_2_6_2: true rhel9cis_rule_1_1_2_6_3: true rhel9cis_rule_1_1_2_6_4: true # /var/log/audit rhel9cis_rule_1_1_2_7_1: true rhel9cis_rule_1_1_2_7_2: true rhel9cis_rule_1_1_2_7_3: true rhel9cis_rule_1_1_2_7_4: true # Package Mgmt # Config Pkg Repos rhel9cis_rule_1_2_1_1: true rhel9cis_rule_1_2_1_2: true rhel9cis_rule_1_2_1_3: true rhel9cis_rule_1_2_1_4: true # Package updates rhel9cis_rule_1_2_2_1: true # Selinux rhel9cis_rule_1_3_1_1: true rhel9cis_rule_1_3_1_2: true rhel9cis_rule_1_3_1_3: true rhel9cis_rule_1_3_1_4: true rhel9cis_rule_1_3_1_5: true rhel9cis_rule_1_3_1_6: true rhel9cis_rule_1_3_1_7: true rhel9cis_rule_1_3_1_8: true # Bootloader rhel9cis_rule_1_4_1: true rhel9cis_rule_1_4_2: true # Additional Process Hardening rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true rhel9cis_rule_1_5_4: true # Config system wide Crypto rhel9cis_rule_1_6_1: true rhel9cis_rule_1_6_2: true rhel9cis_rule_1_6_3: true rhel9cis_rule_1_6_4: true rhel9cis_rule_1_6_5: true rhel9cis_rule_1_6_6: true rhel9cis_rule_1_6_7: true # Command line warning banners rhel9cis_rule_1_7_1: true rhel9cis_rule_1_7_2: true rhel9cis_rule_1_7_3: true rhel9cis_rule_1_7_4: true rhel9cis_rule_1_7_5: true rhel9cis_rule_1_7_6: true # Gnome Display Manager rhel9cis_rule_1_8_1: true rhel9cis_rule_1_8_2: true rhel9cis_rule_1_8_3: true rhel9cis_rule_1_8_4: true rhel9cis_rule_1_8_5: true rhel9cis_rule_1_8_6: true rhel9cis_rule_1_8_7: true rhel9cis_rule_1_8_8: true rhel9cis_rule_1_8_9: true rhel9cis_rule_1_8_10: true # Section 2 rules are controling Services (Special Purpose Services, and service clients) ## Configure Server Services rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_1_3: true rhel9cis_rule_2_1_4: true rhel9cis_rule_2_1_5: true rhel9cis_rule_2_1_6: true rhel9cis_rule_2_1_7: true rhel9cis_rule_2_1_8: true rhel9cis_rule_2_1_9: true rhel9cis_rule_2_1_10: true rhel9cis_rule_2_1_11: true rhel9cis_rule_2_1_12: true rhel9cis_rule_2_1_13: true rhel9cis_rule_2_1_14: true rhel9cis_rule_2_1_15: true rhel9cis_rule_2_1_16: true rhel9cis_rule_2_1_17: true rhel9cis_rule_2_1_18: true rhel9cis_rule_2_1_19: true rhel9cis_rule_2_1_20: true rhel9cis_rule_2_1_21: true rhel9cis_rule_2_1_22: true ## Configure Client Services rhel9cis_rule_2_2_1: true rhel9cis_rule_2_2_2: true rhel9cis_rule_2_2_3: true rhel9cis_rule_2_2_4: true rhel9cis_rule_2_2_5: true ## Configure Time Synchronization rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true ## Job Schedulers ### cron rhel9cis_rule_2_4_1_1: true rhel9cis_rule_2_4_1_2: true rhel9cis_rule_2_4_1_3: true rhel9cis_rule_2_4_1_4: true rhel9cis_rule_2_4_1_5: true rhel9cis_rule_2_4_1_6: true rhel9cis_rule_2_4_1_7: true rhel9cis_rule_2_4_1_8: true ### at rhel9cis_rule_2_4_2_1: true # Section 3 Network ## Network Devices rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true ## Network Kernel Modules rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_2: true rhel9cis_rule_3_2_3: true rhel9cis_rule_3_2_4: true # Network Kernel Parameters rhel9cis_rule_3_3_1: true rhel9cis_rule_3_3_2: true rhel9cis_rule_3_3_3: true rhel9cis_rule_3_3_4: true rhel9cis_rule_3_3_5: true rhel9cis_rule_3_3_6: true rhel9cis_rule_3_3_7: true rhel9cis_rule_3_3_8: true rhel9cis_rule_3_3_9: true rhel9cis_rule_3_3_10: true rhel9cis_rule_3_3_11: true # Section 4 Firewalls ## Firewall utility rhel9cis_rule_4_1_1: true rhel9cis_rule_4_1_2: true ## Configure firewalld rhel9cis_rule_4_2_1: true rhel9cis_rule_4_2_2: true # Configure nftables rhel9cis_rule_4_3_1: true rhel9cis_rule_4_3_2: true rhel9cis_rule_4_3_3: true rhel9cis_rule_4_3_4: true ## Section 5 ## 5.1. Configure SSH Server rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_2: true rhel9cis_rule_5_1_3: true rhel9cis_rule_5_1_4: true rhel9cis_rule_5_1_5: true rhel9cis_rule_5_1_6: true rhel9cis_rule_5_1_7: true rhel9cis_rule_5_1_8: true rhel9cis_rule_5_1_9: true rhel9cis_rule_5_1_10: true rhel9cis_rule_5_1_11: true rhel9cis_rule_5_1_12: true rhel9cis_rule_5_1_13: true rhel9cis_rule_5_1_14: true rhel9cis_rule_5_1_15: true rhel9cis_rule_5_1_16: true rhel9cis_rule_5_1_17: true rhel9cis_rule_5_1_18: true rhel9cis_rule_5_1_19: true rhel9cis_rule_5_1_20: true rhel9cis_rule_5_1_21: true ## 5.2 Configure Privilege Escalation rhel9cis_rule_5_2_1: true rhel9cis_rule_5_2_2: true rhel9cis_rule_5_2_3: true rhel9cis_rule_5_2_4: true rhel9cis_rule_5_2_5: true rhel9cis_rule_5_2_6: true rhel9cis_rule_5_2_7: true # 5.3.1.x Configure PAM software packages rhel9cis_rule_5_3_1_1: true rhel9cis_rule_5_3_1_2: true rhel9cis_rule_5_3_1_3: true # 5.3.2 Configure authselect rhel9cis_rule_5_3_2_1: true rhel9cis_rule_5_3_2_2: true rhel9cis_rule_5_3_2_3: true rhel9cis_rule_5_3_2_4: true # 5.3.3.1 Configure pam_faillock module rhel9cis_rule_5_3_3_1_1: true rhel9cis_rule_5_3_3_1_2: true rhel9cis_rule_5_3_3_1_3: true # 5.3.3.2 Configure pam_pwquality module rhel9cis_rule_5_3_3_2_1: true rhel9cis_rule_5_3_3_2_2: true rhel9cis_rule_5_3_3_2_3: true rhel9cis_rule_5_3_3_2_4: true rhel9cis_rule_5_3_3_2_5: true rhel9cis_rule_5_3_3_2_6: true rhel9cis_rule_5_3_3_2_7: true rhel9cis_rule_5_3_3_2_8: true # 5.3.3.3 Configure pam_pwhistory module # This are added as part of 5.3.2.4 using jinja2 template rhel9cis_rule_5_3_3_3_1: true rhel9cis_rule_5_3_3_3_2: true rhel9cis_rule_5_3_3_3_3: true # 5.3.3.4 Configure pam_unix module rhel9cis_rule_5_3_3_4_1: true rhel9cis_rule_5_3_3_4_2: true rhel9cis_rule_5_3_3_4_3: true rhel9cis_rule_5_3_3_4_4: true # 5.4 User Accounts and Environment # 5.4.1 Configure shadow password suite parameters rhel9cis_rule_5_4_1_1: true rhel9cis_rule_5_4_1_2: true rhel9cis_rule_5_4_1_3: true rhel9cis_rule_5_4_1_4: true rhel9cis_rule_5_4_1_5: true rhel9cis_rule_5_4_1_6: true # 5.4.2 Configure root and system accounts and environment rhel9cis_rule_5_4_2_1: true rhel9cis_rule_5_4_2_2: true rhel9cis_rule_5_4_2_3: true rhel9cis_rule_5_4_2_4: true rhel9cis_rule_5_4_2_5: true rhel9cis_rule_5_4_2_6: true rhel9cis_rule_5_4_2_7: true rhel9cis_rule_5_4_2_8: true # 5.4.2 Configure user default environment rhel9cis_rule_5_4_3_1: true rhel9cis_rule_5_4_3_2: true rhel9cis_rule_5_4_3_3: true # Section 6 Logging and Auditing ## 6.1 Configure Integrity Checking rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true ## 6.2.1 Configure systemd-journald service rhel9cis_rule_6_2_1_1: true rhel9cis_rule_6_2_1_2: true rhel9cis_rule_6_2_1_3: true rhel9cis_rule_6_2_1_4: true ## 6.2.2.x Configure journald rhel9cis_rule_6_2_2_1_1: true rhel9cis_rule_6_2_2_1_2: true rhel9cis_rule_6_2_2_1_3: true rhel9cis_rule_6_2_2_1_4: true rhel9cis_rule_6_2_2_2: true rhel9cis_rule_6_2_2_3: true rhel9cis_rule_6_2_2_4: true ## 6.2.3 Configure rsyslog rhel9cis_rule_6_2_3_1: true rhel9cis_rule_6_2_3_2: true rhel9cis_rule_6_2_3_3: true rhel9cis_rule_6_2_3_4: true rhel9cis_rule_6_2_3_5: true rhel9cis_rule_6_2_3_6: true rhel9cis_rule_6_2_3_7: true ## 6.2.4 Configure Logfiles rhel9cis_rule_6_2_4_1: true ## 6.3 Configure Auditing ## 6.3.1 Configure auditd Service rhel9cis_rule_6_3_1_1: true rhel9cis_rule_6_3_1_2: true rhel9cis_rule_6_3_1_3: true rhel9cis_rule_6_3_1_4: true ## 6.3.2 Configure Data Retention rhel9cis_rule_6_3_2_1: true rhel9cis_rule_6_3_2_2: true rhel9cis_rule_6_3_2_3: true rhel9cis_rule_6_3_2_4: true ## 6.3.3 Configure auditd Rules rhel9cis_rule_6_3_3_1: true rhel9cis_rule_6_3_3_2: true rhel9cis_rule_6_3_3_3: true rhel9cis_rule_6_3_3_4: true rhel9cis_rule_6_3_3_5: true rhel9cis_rule_6_3_3_6: true rhel9cis_rule_6_3_3_7: true rhel9cis_rule_6_3_3_8: true rhel9cis_rule_6_3_3_9: true rhel9cis_rule_6_3_3_10: true rhel9cis_rule_6_3_3_11: true rhel9cis_rule_6_3_3_12: true rhel9cis_rule_6_3_3_13: true rhel9cis_rule_6_3_3_14: true rhel9cis_rule_6_3_3_15: true rhel9cis_rule_6_3_3_16: true rhel9cis_rule_6_3_3_17: true rhel9cis_rule_6_3_3_18: true rhel9cis_rule_6_3_3_19: true rhel9cis_rule_6_3_3_20: true rhel9cis_rule_6_3_3_21: true ## 6.3.4 Configure auditd File Access rhel9cis_rule_6_3_4_1: true rhel9cis_rule_6_3_4_2: true rhel9cis_rule_6_3_4_3: true rhel9cis_rule_6_3_4_4: true rhel9cis_rule_6_3_4_5: true rhel9cis_rule_6_3_4_6: true rhel9cis_rule_6_3_4_7: true rhel9cis_rule_6_3_4_8: true rhel9cis_rule_6_3_4_9: true rhel9cis_rule_6_3_4_10: true # Section 7 System Maintenance ## 7.1 System File Permissions rhel9cis_rule_7_1_1: true rhel9cis_rule_7_1_2: true rhel9cis_rule_7_1_3: true rhel9cis_rule_7_1_4: true rhel9cis_rule_7_1_5: true rhel9cis_rule_7_1_6: true rhel9cis_rule_7_1_7: true rhel9cis_rule_7_1_8: true rhel9cis_rule_7_1_9: true rhel9cis_rule_7_1_10: true rhel9cis_rule_7_1_11: true rhel9cis_rule_7_1_12: true rhel9cis_rule_7_1_13: true ## 7.2 Local User and Group Settings rhel9cis_rule_7_2_1: true rhel9cis_rule_7_2_2: true rhel9cis_rule_7_2_3: true rhel9cis_rule_7_2_4: true rhel9cis_rule_7_2_5: true rhel9cis_rule_7_2_6: true rhel9cis_rule_7_2_7: true rhel9cis_rule_7_2_8: true rhel9cis_rule_7_2_9: true ## Section 1 vars ## Control 1.1.2 # If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, # otherwise fstab configuration will be used. # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. rhel9cis_tmp_svc: false ## Control 1.2.1 # For new systems that have not yet run update the gpg key is not yet imported # Setting to `true` will allow a test on the package and force the import of the key rhel9cis_force_gpg_key_import: true ## Control 1.2.4 # When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM # repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks # which check the GPG signatures for all the individual YUM repositories. rhel9cis_rhel_default_repo: true ## Control 1.2.4 # When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for # enabling the GPG signatures-check for all the individual YUM repositories. If GPG signatures-check is enabled on repositories which do not # support it(like RedHat), installation of packages will fail. rhel9cis_rule_enable_repogpg: true ## Control 1.3.1.3|4|5 - SELinux policy settings # This selects type of policy; targeted or mls( multilevel ) # mls should not be used, since it will disable unconfined policy module # and may prevent some services from running. Requires SELinux not being disabled (by # having 'rhel9cis_selinux_disable' var set as 'true'), otherwise setting will be ignored. rhel9cis_selinux_pol: targeted ## Control 1.6.1.3|4 - SELinux configured and not disabled # This variable contains a specific SELinux mode, respectively: # - 'enforcing': SELinux policy IS enforced, therefore denies operations based on SELinux policy # rules. If system was installed with SELinux, this is enabled by default. # - 'permissive': SELinux policy IS NOT enforced, therefore does NOT deny any operation, only # logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used # briefly to check if SELinux is the culprit in preventing your application # from working". # CIS expects enforcing since permissive allows operations that might compromise the system. # Even though logging still occurs. rhel9cis_selinux_enforce: enforcing ## Control 1.4.1 # This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value # must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with # this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret ## Control 1.4.1 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true ## Control 1.6 # This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING # 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore # possible values for this variable are, as explained by RedHat docs: # -'DEFAULT': reasonable default policy for today's standards (balances usability and security) # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' ## Control 1.6 # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable. rhel9cis_crypto_policy_module: '' ## Controls: # - 1.7.1 - Ensure message of the day is configured properly # - 1.7.2 - Ensure local login warning banner is configured properly # - 1.7.3 - Ensure remote login warning banner is configured properly # This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner ## Control 1.8.x - Settings for GDM ## 1.8 GDM graphical interface rhel9cis_gui: false # This variable specifies the GNOME configuration database file to which configurations are written. # (See "https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en") # The default database is 'local'. rhel9cis_dconf_db_name: local # This variable governs the number of seconds of inactivity before the screen goes blank. # Set max value for idle-delay in seconds (between 1 and 900) rhel9cis_screensaver_idle_delay: 900 # This variable governs the number of seconds the screen remains blank before it is locked. # Set max value for lock-delay in seconds (between 0 and 5) rhel9cis_screensaver_lock_delay: 5 ## Section 2. Services ## Section 2.1 Time Synchronization ## Control 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 # The following variable represents a list of time servers used # for configuring chrony, timesyncd, and ntp. # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation # of the time synchronization mechanism you are using. rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org ## Control 2.1.2 - Time Synchronization servers # This variable should contain the default options to be used for every NTP server hostname defined # within the 'rhel9cis_time_synchronization_servers' var. rhel9cis_chrony_server_options: "minpoll 8" # This variable, if set to 'true'(default), will inform the kernel the system clock is kept synchronized # and the kernel will update the real-time clock every 11 minutes. Otherwise, if 'rtcsync' option is # disabled, chronyd will not be in sync(kernel discipline is disabled, 11 minutes mode will be off). rhel9cis_chrony_server_rtcsync: false # This variable configures the values to be used by chronyd to gradually correct any time offset, # by slowing down/speeding up the clock. An example of this directive usage would be: # 'makestep 1000 10'. # Step the system clock: # - IF the adjustment is larger than 1000 seconds # - but ONLY IN the first ten clock updates rhel9cis_chrony_server_makestep: "1.0 3" # This variable configures the minimum number of sources that need to be considered as selectable in the source # selection algorithm before the local clock is updated. Setting minsources to a larger number can be used to # improve the reliability, because multiple sources will need to correspond with each other. rhel9cis_chrony_server_minsources: 2 # Service configuration # Options are # Service # - false - removes package # - true - leaves package installed # Mask # - false - leaves service in current status # - true - sets service name to masked rhel9cis_autofs_services: false rhel9cis_autofs_mask: true rhel9cis_avahi_server: false rhel9cis_avahi_mask: false rhel9cis_dhcp_server: false rhel9cis_dhcp_mask: false rhel9cis_dns_server: false rhel9cis_dns_mask: false rhel9cis_dnsmasq_server: false rhel9cis_dnsmasq_mask: false rhel9cis_samba_server: false rhel9cis_samba_mask: false rhel9cis_ftp_server: false rhel9cis_ftp_mask: false rhel9cis_message_server: false # This is for messaging dovecot and cyrus-imap rhel9cis_message_mask: false rhel9cis_nfs_server: true rhel9cis_nfs_mask: true rhel9cis_nis_server: true # set to mask if nis client required rhel9cis_nis_mask: false rhel9cis_print_server: false # replaces cups rhel9cis_print_mask: false rhel9cis_rpc_server: true rhel9cis_rpc_mask: true rhel9cis_rsync_server: false rhel9cis_rsync_mask: false rhel9cis_net_snmp_server: false rhel9cis_net_snmp_mask: false rhel9cis_telnet_server: false rhel9cis_telnet_mask: false rhel9cis_tftp_server: false rhel9cis_tftp_mask: false rhel9cis_squid_server: false rhel9cis_squid_mask: false rhel9cis_httpd_server: false rhel9cis_httpd_mask: false rhel9cis_nginx_server: false rhel9cis_nginx_mask: false rhel9cis_xinetd_server: false rhel9cis_xinetd_mask: false rhel9cis_xwindow_server: false # will remove mask not an option rhel9cis_is_mail_server: false ## Section 2.3 Service clients rhel9cis_ftp_client: false rhel9cis_openldap_clients_required: false rhel9cis_ypbind_required: false # Same package as NIS server rhel9cis_telnet_required: false rhel9cis_tftp_client: false ## Section 3 vars ## Sysctl # Service configuration # Options are # Service # - false - removes package # - true - leaves package installed # Mask # - false - leaves service in current status # - true - sets service name to masked rhel9cis_bluetooth_service: false rhel9cis_bluetooth_mask: true ## 3.1 IPv6 requirement toggle # This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true # 3.3 System network parameters (host only OR host and router) # This variable governs whether specific CIS rules # concerned with acceptance and routing of packages are skipped. rhel9cis_is_router: false # This variable governs if the task which updates sysctl(including sysctl reload) is executed. # NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_sysctl_update: false # This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to # use the new configuration). # NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv4_route: false # This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to # use the new configuration). # NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv6_route: false # Section 4 vars ### Firewall Service to install and configure - Options are: # 1) either 'firewalld' # 2) or 'nftables' #### Some control allow for services to be removed or masked #### The options are under each heading #### absent = remove the package #### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld ## Control 4.2.x - Ensure firewalld default zone is set # This variable will set the firewalld default zone(that is used for everything that is not explicitly bound/assigned # to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used. rhel9cis_default_zone: public ## Controls 4.3.x nftables # This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback # traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will # be created using as name the value stored by this variable. rhel9cis_nft_tables_tablename: filter ## Ensure nftables base chains exist # This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically # created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those # chains will not be touched by nftables. rhel9cis_nft_tables_autochaincreate: true ## Section5 vars ## Section 5.1 - SSH # This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of # drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. # Otherwise, the default value is '/etc/ssh/ssh_config'. rhel9_cis_sshd_config_file: /etc/ssh/sshd_config ## Controls: ## - 5.1.7 - Ensure SSH access is limited # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH # access for users whose user name matches one of the patterns. This is done # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. rhel9cis_sshd_allowusers: "{% if ansible_facts.user_id != 'root' %}{{ ansible_facts.user_id }}{% elif ansible_env.SUDO_USER is defined %}{{ ansible_env.SUDO_USER }}{% endif %}" # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. # rhel9cis_sshd_allowgroups: "wheel" # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access # for users whose user name matches one of the patterns. This is done # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. rhel9cis_sshd_denyusers: "nobody" # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, # to prevent SSH access for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. rhel9cis_sshd_denygroups: "" ## - 5.1.9 - ClientAlive and CountMax # default settings allow 45 seconds e.g. count x interval # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered # inactive and thus, closed. rhel9cis_sshd_clientalivecountmax: 3 # This variable sets the time interval in seconds between sending "keep-alive" # messages from the server to the client. These types of messages are intended to # keep the connection alive and prevent it being terminated due to inactivity. rhel9cis_sshd_clientaliveinterval: 15 ## Control 5.1.12 - disable forwarding # By Default this will also disablex11 forwarding # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf rhel9cis_sshd_x11forwarding: 'no' ## - 5.2.14 - Ensure SSH LoginGraceTime is set to one minute or less # This variable specifies the amount of seconds allowed for successful authentication to # the SSH server. rhel9cis_sshd_logingracetime: 60 ## Control 5.2.15 - Ensure SSH LogLevel is appropriate # This variable is used to control the verbosity of the logging produced by the SSH server. # The options for setting it are as follows: # - `QUIET`: Minimal logging; # - `FATAL`: logs only fatal errors; # - `ERROR`: logs error messages; # - `INFO`: logs informational messages in addition to errors; # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; # - `DEBUG`: generates very detailed debugging information including sensitive information. # - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO ## Control 5.1.16 MaxAuthTries configured # The MaxAuthTries parameter specifies the maximum number of authentication # attempts permitted per connection. When the login failure count reaches half the # number, error messages will be written to the syslog file detailing the login failure. rhel9cis_ssh_maxauthtries: '4' ## Control 5.1.7 MaxStartups # The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. rhel9cis_ssh_maxstartups: '10:30:60' ## Control 5.1.18 - Ensure SSH MaxSessions is set to 10 or less # This variable value specifies the maximum number of open sessions that are permitted from # a given location rhel9cis_ssh_maxsessions: 4 ## Control 5.2.x - Ensure sudo log file exists # By default, sudo logs through syslog(3). However, to specify a custom log file, the # 'logfile' parameter will be used, setting it with current variable's value. # This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" ## Control 5.2.x -Ensure sudo authentication timeout is configured correctly # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute # multiple commands with elevated privileges without needing to re-enter their password for each # command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 ## Control 5.2.4 # This will leave NOPASSWD intact for these users rhel9cis_sudoers_exclude_nopasswd_list: - ec2-user - vagrant ## Control 5.2 - Ensure access to the 'su' command is restricted # This variable determines the name of the group of users that are allowed to use the su command. # CIS requires that such a group be CREATED(named according to site policy) and be kept EMPTY. rhel9cis_sugroup: nosugroup ## 5.3.x PAM and Authselect # Do not use authselect if: # Your host is part of Linux Identity Management. # Joining your host to an IdM domain with the ipa-client-install command automatically configures SSSD authentication on your host. # Your host is part of Active Directory via SSSD. # Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host. rhel9cis_allow_authselect_updates: false ## rhel9cis_authselect_pkg_update: false # NOTE the risks if system is using SSSD or using ipa-client-install ## Controls # - 5.3.3. - Ensure lockout for failed password attempts is configured # - 5.5.3 - Ensure password reuse is limited # - 5.5.4 - Ensure password hashing algorithm is SHA-512 # - 5.4.2 - Ensure authselect includes with-faillock rhel9cis_pam_faillock: # - 5.3.3.1.1 # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 # - 5.3.3.1.2 # This variable sets the amount of time a user will be unlocked after the max amount of # password failures. unlock_time: 900 # This variable represents the number of password change cycles, after which # an user can re-use a password. # CIS requires a value of 5 or more. interval: 900 root_unlock_time: 60 # Choose options below for root options root_option: even_deny_root # root_option: "root_unlock_time = {{ root_unlock_time }}" ## Control 5.3.3.2.x - Ensure password creation requirements are configured - PAM rhel9cis_pam_password: # - 5.3.3.2.1 # The pwquality difok option sets the number of characters in a password that must not # be present in the old password. difok: 2 # - 5.3.3.2.2 # minlen - Minimum acceptable size for the new password (plus one if credits are not # disabled which is the default). Cannot be set to lower value than 6. minlen: 14 # - 5.3.3.2.3 # Password complexity can be set through # This variable set password complexity,the minimum number of # character types that must be used (i.e., uppercase, lowercase, digits, other) # Set to 2, passwords cannot have all lower/upper case. # Set to 3, passwords needs numbers. # set to 4, passwords will have to include all four types of characters. minclass: 4 # - 5.3.3.2.4 # The pwquality maxrepeat option sets the maximum number of allowed same # consecutive characters in a new password. maxrepeat: 3 # - 5.3.3.2.5 # The pwquality maxsequence option sets the maximum length of monotonic character # sequences in the new password. Examples of such sequence are 12345 or fedcb. The # check is disabled if the value is 0. maxseq: 3 # 5.3.3.4.x rhel9cis_passwd_hash_algo: sha512 ## Section 5.4.1.x: Shadow Password Suite Parameters rhel9cis_pass: ## Control 5.6.1.1 - Ensure password expiration is 365 days or less # This variable governs after how many days a password expires. # CIS requires a value of 365 or less. max_days: 365 ## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more # This variable specifies the minimum number of days allowed between changing # passwords. CIS requires a value of at least 1. min_days: 7 ## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more # This variable governs, how many days before a password expires, the user will be warned. # CIS requires a value of at least 7. warn_age: 7 ## Control 5.4.1.x - Ensure inactive password lock is 30 days or less rhel9cis_inactivelock: # This variable specifies the number of days of inactivity before an account will be locked. # CIS requires a value of 30 days or less. lock_days: 30 ## 5.4.1.x Allow the forcing of setting user_max_days for logins. # This can break current connecting user access rhel9cis_force_user_maxdays: false ## 5.4.1.x Allow the force setting of minimum days between changing the password # This can break current connecting user access rhel9cis_force_user_mindays: false ## 5.4.1.x Allow the forcing of of number of days before warning users of password expiry # This can break current connecting user access rhel9cis_force_user_warnage: false ## Control 5.4.1.x - Ensure all users last password change date is in the past # Allow ansible to expire password for account with a last changed date in the future. Setting it # to 'false' will just display users in violation, while 'true' will expire those users passwords. rhel9cis_futurepwchgdate_autofix: true ## Section 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) ## Controls: # - 5.4.1 - Ensure custom authselect profile is used('custom_profile_name', 'default_file_to_copy' subsettings) # - 5.4.2 - Ensure authselect includes with-faillock | with auth select profile('custom_profile_name') # Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple # options and ways to configure this control needs to be enabled and settings adjusted to minimise risk. rhel9cis_authselect: # This variable configures the name of the custom profile to be created and selected. custom_profile_name: custom-profile # This variable configures the ID of the existing profile that should be used as a base for the new profile. default_file_to_copy: "sssd --symlink-meta" options: with-sudo with-faillock without-nullok with-pwhistory ## Control 5.4.1 - Ensure custom authselect profile is used # This variable governs if an authselect custom profile should be automatically created, by copying and # customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be # customized to follow site specific requirements. rhel9cis_authselect_custom_profile_create: false ## Control 5.4.2 - Ensure authselect includes with-faillock | Create custom profiles # This variable governs if the existing custom profile should be selected(Note: please keep in mind that all future updates # to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.) rhel9cis_authselect_custom_profile_select: false # 5.4.2.x rhel9cis_root_umask: '0027' # 0027 or more restrictive ### Controls: # - 5.6.2 - Ensure system accounts are secured # - 6.2.10 - Ensure local interactive user home directories exist # - 6.2.11 - Ensure local interactive users own their home directories # UID settings for interactive users # These are discovered via logins.def if set true rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: # - 6.2.10 - Ensure local interactive user home directories exist # - 6.2.11 - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. max_int_uid: 65533 ## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: # This variable specifies the path of the timeout setting file. # (TMOUT setting can be set in multiple files, but only one is required for the # rule to pass. Options are: # - a file in `/etc/profile.d/` ending in `.s`, # - `/etc/profile`, or # - `/etc/bash.bashrc`. file: /etc/profile.d/tmout.sh # This variable represents the amount of seconds a command or process is allowed to # run before being forcefully terminated. # CIS requires a value of at most 900 seconds. timeout: 600 ## Section6 vars ## Control 6.1.1 - allow aide to be configured # AIDE is a file integrity checking tool, similar in nature to Tripwire. # While it cannot prevent intrusions, it can detect unauthorized changes # to configuration files by alerting when the files are changed. Review # the AIDE quick start guide and AIDE documentation before proceeding. # By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true ## Control 6.1.2 AIDE cron settings # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. # The sub-settings of this variable provide the parameters required to configure # the cron job on the target system. # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled # and executed automatically at a certain point in time. rhel9cis_aide_cron: # This variable represents the user account under which the cron job for AIDE will run. cron_user: root # This variable represents the path to the AIDE crontab file. cron_file: /etc/cron.d/aide_cron # This variable represents the actual command or script that the cron job # will execute for running AIDE. aide_job: '/usr/sbin/aide --check' # These variables define the schedule for the cron job # This variable governs the minute of the time of day when the AIDE cronjob is run. # It must be in the range `0-59`. aide_minute: 0 # This variable governs the hour of the time of day when the AIDE cronjob is run. # It must be in the range `0-23`. aide_hour: 5 # This variable governs the day of the month when the AIDE cronjob is run. # `*` signifies that the job is run on all days; furthermore, specific days # can be given in the range `1-31`; several days can be concatenated with a comma. # The specified day(s) can must be in the range `1-31`. aide_day: '*' # This variable governs months when the AIDE cronjob is run. # `*` signifies that the job is run in every month; furthermore, specific months # can be given in the range `1-12`; several months can be concatenated with commas. # The specified month(s) can must be in the range `1-12`. aide_month: '*' # This variable governs the weekdays, when the AIDE cronjob is run. # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays # can be concatenated with commas. aide_weekday: '*' # ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Control 6.2.3 | Configure rsyslog ## Control 6.2.1 | Configure journald # This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) # or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best # practices are written wholly independent of each other. rhel9cis_syslog: journald ## Control 6.2.2.x & 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client # This variable expresses whether the system is used as a log server or not. If set to: # - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts. # - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity # from local attacks on remote clients) rhel9cis_system_is_log_server: false ## Control 6.2.3.5 | PATCH | Ensure logging is configured # This variable governs if current Ansible role should manage syslog settings # in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) rhel9cis_rsyslog_ansiblemanaged: true ## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable governs if 'rsyslog' service should be automatically configured to forward messages to a # remote log server. If set to 'false', the configuration of the 'omfwd' plugin, used to provide forwarding # over UDP or TCP, will not be performed. rhel9cis_remote_log_server: false ## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the value of the 'target' parameter to be configured when enabling # forwarding syslog messages to a remote log server, thus configuring the actual FQDN/IP address of the # destination server. For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_host: logagg.example.com ## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the value of the 'port' parameter to be configured when enabling # forwarding syslog messages to a remote log server. The default value for this destination port is 514. # For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_port: 514 ## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the value("TCP"/"UDP") of the 'protocol' parameter to be configured when enabling # forwarding syslog messages to a remote log server. The default value for the 'omfwd' plug-in is UDP. # For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_protocol: tcp ## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable governs how often an action is retried(value is passed to 'action.resumeRetryCount' parameter) before # it is considered to have failed(that roughly translates to discarded messages). The default value is 0, but # when set to "-1"(eternal), this setting would prevent rsyslog from dropping messages when retrying to connect # if server is not responding. For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_retrycount: 100 ## Control 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the maximum number of messages that can be hold(value is passed to 'queue.size' parameter). # For this value to be reflected in the configuration, the variable which enables the automatic configuration # of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_queuesize: 1000 ## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured # 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to # URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port # number may be specified after a colon (":"), otherwise 19532 will be used by default. rhel9cis_journal_upload_url: 192.168.50.42 ## The paths below have the default paths/files, but allow user to create custom paths/filenames ## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the private key file used by the remote journal # server to authenticate itself to the client. This key is used alongside the server's # public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" ## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the public certificate file of the remote journal # server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" ## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to a file containing one or more public certificates # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" # ATTENTION: Uncomment the keyword below when values are set! ## Control 6.2.2.6 - Ensure journald log rotation is configured per site policy # Current variable configures the max amount of disk space the logs will use(thus, journal files # will not grow without bounds) # The variables below related to journald, please set these to your site specific values # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. rhel9cis_journald_systemmaxuse: 10M ## Control 6.2.2.6 - Ensure journald log rotation is configured per site policy # Current variable configures the amount of disk space to keep free for other uses. rhel9cis_journald_systemkeepfree: 100G ## Control 6.2.2.6 - Ensure journald log rotation is configured per site policy # This variable configures how much disk space the journal may use up at most. # Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space. rhel9cis_journald_runtimemaxuse: 10M ## Control 6.2.2.6 - Ensure journald log rotation is configured per site policy # This variable configures the actual amount of disk space to keep free # Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space. rhel9cis_journald_runtimekeepfree: 100G ## Control 6.2.2.6 - Ensure journald log rotation is configured per site policy # Current variable governs the settings for log retention(how long the log files will be kept). # Thus, it specifies the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. # The given values is interpreted as seconds, unless suffixed with the units # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks # ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month # Control 6.3.1.3 - Ensure rhel9cis_audit_back_log_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the # system can buffer in memory, if the audit subsystem is unable to process them in real-time. # Buffering in memory is useful in situations, where the audit system is overwhelmed # with incoming audit events, and needs to temporarily store them until they can be processed. # This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. rhel9cis_audit_back_log_limit: 8192 ## Advanced option found in auditd post and used in tempate 98_auditd_exceptions.rules.j2 # This variable governs if defining user exceptions for auditd logging is acceptable. rhel9cis_allow_auditd_uid_user_exclusions: false # This variable contains a list of uids to be excluded(users whose actions are not logged by auditd) rhel9cis_auditd_uid_exclude: - 1999 # Section 7 Vars ## Control 6.1.9 - Ensure no world writable files exist # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true ## Control 6.2.16 - Ensure local interactive user dot files are not group or world writable # This boolean variable governs if current role should follow filesystem links for changes to # user home directory. rhel_09_6_2_16_home_follow_symlinks: false # thanks to @dulin-gnet and community for rhel9-cis feedback.