forked from ansible-lockdown/RHEL9-CIS
719 lines
21 KiB
YAML
719 lines
21 KiB
YAML
---
|
|
# defaults file for rhel9-cis
|
|
|
|
system_is_container: false
|
|
container_vars_file: is_container.yml
|
|
# rhel9cis is left off the front of this var for consistency in testing pipeline
|
|
# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
|
|
system_is_ec2: false
|
|
|
|
# Run the OS validation check
|
|
os_check: true
|
|
|
|
rhel9cis_section1: true
|
|
rhel9cis_section2: true
|
|
rhel9cis_section3: true
|
|
rhel9cis_section4: true
|
|
rhel9cis_section5: true
|
|
rhel9cis_section6: true
|
|
|
|
# This is used for audit purposes to run only specifc level use the tags
|
|
# e.g.
|
|
# - level1-server
|
|
# - level2-workstation
|
|
rhel9cis_level_1: true
|
|
rhel9cis_level_2: true
|
|
|
|
rhel9cis_selinux_disable: false
|
|
rhel9cis_legacy_boot: false
|
|
|
|
## Python Binary
|
|
## This is used for python3 Installations where python2 OS modules are used in ansible
|
|
python2_bin: /bin/python2.7
|
|
|
|
## Benchmark name used by audting control role
|
|
# The audit variable found at the base
|
|
## metadata for Audit benchmark
|
|
benchmark_version: 'v1.0.0'
|
|
|
|
benchmark: RHEL9-CIS
|
|
|
|
# Whether to skip the reboot
|
|
skip_reboot: true
|
|
|
|
# default value will change to true but wont reboot if not enabled but will error
|
|
change_requires_reboot: false
|
|
|
|
#### Basic external goss audit enablement settings ####
|
|
#### Precise details - per setting can be found at the bottom of this file ####
|
|
|
|
### Goss is required on the remote host
|
|
setup_audit: false
|
|
# How to retrive goss
|
|
# Options are copy or download - detailed settings at the bottom of this file
|
|
# you will need to access to either github or the file already dowmloaded
|
|
get_goss_file: download
|
|
|
|
# how to get audit files onto host options
|
|
# options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly)
|
|
audit_content: git
|
|
|
|
# enable audits to run - this runs the audit and get the latest content
|
|
run_audit: false
|
|
|
|
# Timeout for those cmds that take longer to run where timeout set
|
|
audit_cmd_timeout: 60000
|
|
|
|
### End Goss enablements ####
|
|
#### Detailed settings found at the end of this document ####
|
|
|
|
# These variables correspond with the CIS rule IDs or paragraph numbers defined in
|
|
# the CIS benchmark documents.
|
|
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
|
|
# You must enable an entire section in order for the variables below to take effect.
|
|
# Section 1 rules
|
|
rhel9cis_rule_1_1_1_1: true
|
|
rhel9cis_rule_1_1_1_2: true
|
|
rhel9cis_rule_1_1_2_1: true
|
|
rhel9cis_rule_1_1_2_2: true
|
|
rhel9cis_rule_1_1_2_3: true
|
|
rhel9cis_rule_1_1_2_4: true
|
|
rhel9cis_rule_1_1_3_1: true
|
|
rhel9cis_rule_1_1_3_2: true
|
|
rhel9cis_rule_1_1_3_3: true
|
|
rhel9cis_rule_1_1_4_1: true
|
|
rhel9cis_rule_1_1_4_2: true
|
|
rhel9cis_rule_1_1_4_3: true
|
|
rhel9cis_rule_1_1_4_4: true
|
|
rhel9cis_rule_1_1_5_1: true
|
|
rhel9cis_rule_1_1_5_2: true
|
|
rhel9cis_rule_1_1_5_3: true
|
|
rhel9cis_rule_1_1_5_4: true
|
|
rhel9cis_rule_1_1_6_1: true
|
|
rhel9cis_rule_1_1_6_2: true
|
|
rhel9cis_rule_1_1_6_3: true
|
|
rhel9cis_rule_1_1_6_4: true
|
|
rhel9cis_rule_1_1_7_1: true
|
|
rhel9cis_rule_1_1_7_2: true
|
|
rhel9cis_rule_1_1_7_3: true
|
|
rhel9cis_rule_1_1_8_1: true
|
|
rhel9cis_rule_1_1_8_2: true
|
|
rhel9cis_rule_1_1_8_3: true
|
|
rhel9cis_rule_1_1_8_4: true
|
|
rhel9cis_rule_1_1_18: true
|
|
rhel9cis_rule_1_1_19: true
|
|
rhel9cis_rule_1_1_20: true
|
|
rhel9cis_rule_1_1_21: true
|
|
rhel9cis_rule_1_1_9: true
|
|
rhel9cis_rule_1_2_1: true
|
|
rhel9cis_rule_1_2_2: true
|
|
rhel9cis_rule_1_2_3: true
|
|
rhel9cis_rule_1_2_4: true
|
|
rhel9cis_rule_1_3_1: true
|
|
rhel9cis_rule_1_3_2: true
|
|
rhel9cis_rule_1_3_3: true
|
|
rhel9cis_rule_1_4_1: true
|
|
rhel9cis_rule_1_4_2: true
|
|
rhel9cis_rule_1_5_1: true
|
|
rhel9cis_rule_1_5_2: true
|
|
rhel9cis_rule_1_5_3: true
|
|
rhel9cis_rule_1_6_1_1: true
|
|
rhel9cis_rule_1_6_1_2: true
|
|
rhel9cis_rule_1_6_1_3: true
|
|
rhel9cis_rule_1_6_1_4: true
|
|
rhel9cis_rule_1_6_1_5: true
|
|
rhel9cis_rule_1_6_1_6: true
|
|
rhel9cis_rule_1_6_1_7: true
|
|
rhel9cis_rule_1_6_1_8: true
|
|
rhel9cis_rule_1_7_1: true
|
|
rhel9cis_rule_1_7_2: true
|
|
rhel9cis_rule_1_7_3: true
|
|
rhel9cis_rule_1_7_4: true
|
|
rhel9cis_rule_1_7_5: true
|
|
rhel9cis_rule_1_7_6: true
|
|
rhel9cis_rule_1_8_1: true
|
|
rhel9cis_rule_1_8_2: true
|
|
rhel9cis_rule_1_8_3: true
|
|
rhel9cis_rule_1_8_4: true
|
|
rhel9cis_rule_1_8_5: true
|
|
rhel9cis_rule_1_8_6: true
|
|
rhel9cis_rule_1_8_7: true
|
|
rhel9cis_rule_1_8_8: true
|
|
rhel9cis_rule_1_8_9: true
|
|
rhel9cis_rule_1_8_10: true
|
|
rhel9cis_rule_1_9: true
|
|
rhel9cis_rule_1_10: true
|
|
|
|
# Section 2 rules
|
|
rhel9cis_rule_2_1_1: true
|
|
rhel9cis_rule_2_1_2: true
|
|
rhel9cis_rule_2_2_1: true
|
|
rhel9cis_rule_2_2_2: true
|
|
rhel9cis_rule_2_2_3: true
|
|
rhel9cis_rule_2_2_4: true
|
|
rhel9cis_rule_2_2_5: true
|
|
rhel9cis_rule_2_2_6: true
|
|
rhel9cis_rule_2_2_7: true
|
|
rhel9cis_rule_2_2_8: true
|
|
rhel9cis_rule_2_2_9: true
|
|
rhel9cis_rule_2_2_10: true
|
|
rhel9cis_rule_2_2_11: true
|
|
rhel9cis_rule_2_2_12: true
|
|
rhel9cis_rule_2_2_13: true
|
|
rhel9cis_rule_2_2_14: true
|
|
rhel9cis_rule_2_2_15: true
|
|
rhel9cis_rule_2_2_16: true
|
|
rhel9cis_rule_2_2_17: true
|
|
rhel9cis_rule_2_2_18: true
|
|
rhel9cis_rule_2_3_1: true
|
|
rhel9cis_rule_2_3_2: true
|
|
rhel9cis_rule_2_3_3: true
|
|
rhel9cis_rule_2_3_4: true
|
|
rhel9cis_rule_2_4: true
|
|
|
|
# Section 3 rules
|
|
rhel9cis_rule_3_1_1: true
|
|
rhel9cis_rule_3_1_2: true
|
|
rhel9cis_rule_3_1_3: true
|
|
rhel9cis_rule_3_2_1: true
|
|
rhel9cis_rule_3_2_2: true
|
|
rhel9cis_rule_3_3_1: true
|
|
rhel9cis_rule_3_3_2: true
|
|
rhel9cis_rule_3_3_3: true
|
|
rhel9cis_rule_3_3_4: true
|
|
rhel9cis_rule_3_3_5: true
|
|
rhel9cis_rule_3_3_6: true
|
|
rhel9cis_rule_3_3_7: true
|
|
rhel9cis_rule_3_3_8: true
|
|
rhel9cis_rule_3_3_9: true
|
|
rhel9cis_rule_3_4_1_1: true
|
|
rhel9cis_rule_3_4_1_2: true
|
|
rhel9cis_rule_3_4_2_1: true
|
|
rhel9cis_rule_3_4_2_2: true
|
|
rhel9cis_rule_3_4_2_3: true
|
|
rhel9cis_rule_3_4_2_4: true
|
|
rhel9cis_rule_3_4_2_5: true
|
|
rhel9cis_rule_3_4_2_6: true
|
|
rhel9cis_rule_3_4_2_7: true
|
|
|
|
# Section 4 rules
|
|
rhel9cis_rule_4_1_1_1: true
|
|
rhel9cis_rule_4_1_1_2: true
|
|
rhel9cis_rule_4_1_1_3: true
|
|
rhel9cis_rule_4_1_1_4: true
|
|
rhel9cis_rule_4_1_2_1: true
|
|
rhel9cis_rule_4_1_2_2: true
|
|
rhel9cis_rule_4_1_2_3: true
|
|
rhel9cis_rule_4_1_3_1: true
|
|
rhel9cis_rule_4_1_3_2: true
|
|
rhel9cis_rule_4_1_3_3: true
|
|
rhel9cis_rule_4_1_3_4: true
|
|
rhel9cis_rule_4_1_3_5: true
|
|
rhel9cis_rule_4_1_3_6: true
|
|
rhel9cis_rule_4_1_3_7: true
|
|
rhel9cis_rule_4_1_3_8: true
|
|
rhel9cis_rule_4_1_3_9: true
|
|
rhel9cis_rule_4_1_3_10: true
|
|
rhel9cis_rule_4_1_3_11: true
|
|
rhel9cis_rule_4_1_3_12: true
|
|
rhel9cis_rule_4_1_3_13: true
|
|
rhel9cis_rule_4_1_3_14: true
|
|
rhel9cis_rule_4_1_3_15: true
|
|
rhel9cis_rule_4_1_3_16: true
|
|
rhel9cis_rule_4_1_3_17: true
|
|
rhel9cis_rule_4_1_3_18: true
|
|
rhel9cis_rule_4_1_3_19: true
|
|
rhel9cis_rule_4_1_3_20: true
|
|
rhel9cis_rule_4_1_3_21: true
|
|
rhel9cis_rule_4_1_4_1: true
|
|
rhel9cis_rule_4_1_4_2: true
|
|
rhel9cis_rule_4_1_4_3: true
|
|
rhel9cis_rule_4_1_4_4: true
|
|
rhel9cis_rule_4_1_4_5: true
|
|
rhel9cis_rule_4_1_4_6: true
|
|
rhel9cis_rule_4_1_4_7: true
|
|
rhel9cis_rule_4_1_4_8: true
|
|
rhel9cis_rule_4_1_4_9: true
|
|
rhel9cis_rule_4_1_4_10: true
|
|
rhel9cis_rule_4_2_1_1: true
|
|
rhel9cis_rule_4_2_1_2: true
|
|
rhel9cis_rule_4_2_1_3: true
|
|
rhel9cis_rule_4_2_1_4: true
|
|
rhel9cis_rule_4_2_1_5: true
|
|
rhel9cis_rule_4_2_1_6: true
|
|
rhel9cis_rule_4_2_1_7: true
|
|
rhel9cis_rule_4_2_2_1_1: true
|
|
rhel9cis_rule_4_2_2_1_2: true
|
|
rhel9cis_rule_4_2_2_1_3: true
|
|
rhel9cis_rule_4_2_2_1_4: true
|
|
rhel9cis_rule_4_2_2_2: true
|
|
rhel9cis_rule_4_2_2_3: true
|
|
rhel9cis_rule_4_2_2_4: true
|
|
rhel9cis_rule_4_2_2_5: true
|
|
rhel9cis_rule_4_2_2_6: true
|
|
rhel9cis_rule_4_2_2_7: true
|
|
rhel9cis_rule_4_2_3: true
|
|
rhel9cis_rule_4_3: true
|
|
|
|
# Section 5 rules
|
|
rhel9cis_rule_5_1_1: true
|
|
rhel9cis_rule_5_1_2: true
|
|
rhel9cis_rule_5_1_3: true
|
|
rhel9cis_rule_5_1_4: true
|
|
rhel9cis_rule_5_1_5: true
|
|
rhel9cis_rule_5_1_6: true
|
|
rhel9cis_rule_5_1_7: true
|
|
rhel9cis_rule_5_1_8: true
|
|
rhel9cis_rule_5_1_9: true
|
|
rhel9cis_rule_5_2_1: true
|
|
rhel9cis_rule_5_2_2: true
|
|
rhel9cis_rule_5_2_3: true
|
|
rhel9cis_rule_5_2_4: true
|
|
rhel9cis_rule_5_2_5: true
|
|
rhel9cis_rule_5_2_6: true
|
|
rhel9cis_rule_5_2_7: true
|
|
rhel9cis_rule_5_2_8: true
|
|
rhel9cis_rule_5_2_9: true
|
|
rhel9cis_rule_5_2_10: true
|
|
rhel9cis_rule_5_2_12: true
|
|
rhel9cis_rule_5_2_11: true
|
|
rhel9cis_rule_5_2_13: true
|
|
rhel9cis_rule_5_2_14: true
|
|
rhel9cis_rule_5_2_15: true
|
|
rhel9cis_rule_5_2_16: true
|
|
rhel9cis_rule_5_2_17: true
|
|
rhel9cis_rule_5_2_18: true
|
|
rhel9cis_rule_5_2_19: true
|
|
rhel9cis_rule_5_2_20: true
|
|
rhel9cis_rule_5_3_1: true
|
|
rhel9cis_rule_5_3_2: true
|
|
rhel9cis_rule_5_3_3: true
|
|
rhel9cis_rule_5_3_4: true
|
|
rhel9cis_rule_5_3_5: true
|
|
rhel9cis_rule_5_3_6: true
|
|
rhel9cis_rule_5_3_7: true
|
|
rhel9cis_rule_5_4_1: true
|
|
rhel9cis_rule_5_4_2: true
|
|
rhel9cis_rule_5_5_1: true
|
|
rhel9cis_rule_5_5_2: true
|
|
rhel9cis_rule_5_5_3: true
|
|
rhel9cis_rule_5_5_4: true
|
|
rhel9cis_rule_5_5_5: true
|
|
rhel9cis_rule_5_6_1_1: true
|
|
rhel9cis_rule_5_6_1_2: true
|
|
rhel9cis_rule_5_6_1_3: true
|
|
rhel9cis_rule_5_6_1_4: true
|
|
rhel9cis_rule_5_6_1_5: true
|
|
rhel9cis_rule_5_6_2: true
|
|
rhel9cis_rule_5_6_3: true
|
|
rhel9cis_rule_5_6_4: true
|
|
rhel9cis_rule_5_6_5: true
|
|
rhel9cis_rule_5_6_6: true
|
|
|
|
# Section 6 rules
|
|
rhel9cis_rule_6_1_1: true
|
|
rhel9cis_rule_6_1_2: true
|
|
rhel9cis_rule_6_1_3: true
|
|
rhel9cis_rule_6_1_4: true
|
|
rhel9cis_rule_6_1_5: true
|
|
rhel9cis_rule_6_1_6: true
|
|
rhel9cis_rule_6_1_7: true
|
|
rhel9cis_rule_6_1_8: true
|
|
rhel9cis_rule_6_1_9: true
|
|
rhel9cis_rule_6_1_10: true
|
|
rhel9cis_rule_6_1_11: true
|
|
rhel9cis_rule_6_1_12: true
|
|
rhel9cis_rule_6_1_13: true
|
|
rhel9cis_rule_6_1_14: true
|
|
rhel9cis_rule_6_1_15: true
|
|
rhel9cis_rule_6_2_1: true
|
|
rhel9cis_rule_6_2_2: true
|
|
rhel9cis_rule_6_2_3: true
|
|
rhel9cis_rule_6_2_4: true
|
|
rhel9cis_rule_6_2_5: true
|
|
rhel9cis_rule_6_2_6: true
|
|
rhel9cis_rule_6_2_7: true
|
|
rhel9cis_rule_6_2_8: true
|
|
rhel9cis_rule_6_2_9: true
|
|
rhel9cis_rule_6_2_10: true
|
|
rhel9cis_rule_6_2_11: true
|
|
rhel9cis_rule_6_2_12: true
|
|
rhel9cis_rule_6_2_13: true
|
|
rhel9cis_rule_6_2_14: true
|
|
rhel9cis_rule_6_2_15: true
|
|
rhel9cis_rule_6_2_16: true
|
|
|
|
|
|
## Section 1 vars
|
|
|
|
#### 1.1.2
|
|
# These settings go into the /etc/fstab file for the /tmp mount settings
|
|
# The value must contain nosuid,nodev,noexec to conform to CIS standards
|
|
# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"
|
|
# If set true uses the tmp.mount service else using fstab configuration
|
|
rhel9cis_tmp_svc: false
|
|
|
|
#### 1.1.9
|
|
rhel9cis_allow_autofs: false
|
|
|
|
# 1.2.1
|
|
# This is the login information for your RedHat Subscription
|
|
# DO NOT USE PLAIN TEXT PASSWORDS!!!!!
|
|
# The intent here is to use a password utility like Ansible Vault here
|
|
rhel9cis_rh_sub_user: user
|
|
rhel9cis_rh_sub_password: password
|
|
|
|
# 1.2.2
|
|
# Do you require rhnsd
|
|
# RedHat Satellite Subscription items
|
|
rhel9cis_rhnsd_required: false
|
|
|
|
# 1.2.4 repo_gpgcheck
|
|
rhel9cis_rhel_default_repo: true
|
|
|
|
# 1.4.2 Bootloader password
|
|
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'
|
|
rhel9cis_bootloader_password: random
|
|
rhel9cis_set_boot_pass: true
|
|
|
|
# 1.8 Gnome Desktop
|
|
rhel9cis_dconf_db_name: local
|
|
rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900)
|
|
rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5)
|
|
|
|
# 1.10 Set crypto policy DEFAULT
|
|
# Control 1.10 states not to use LEGACY
|
|
rhel9cis_crypto_policy: "DEFAULT"
|
|
|
|
# System network parameters (host only OR host and router)
|
|
rhel9cis_is_router: false
|
|
|
|
# IPv6 required
|
|
rhel9cis_ipv6_required: true
|
|
|
|
# AIDE
|
|
rhel9cis_config_aide: true
|
|
# AIDE cron settings
|
|
rhel9cis_aide_cron:
|
|
cron_user: root
|
|
cron_file: /etc/cron.d/aide_cron
|
|
aide_job: '/usr/sbin/aide --check'
|
|
aide_minute: 0
|
|
aide_hour: 5
|
|
aide_day: '*'
|
|
aide_month: '*'
|
|
aide_weekday: '*'
|
|
|
|
# SELinux policy
|
|
rhel9cis_selinux_pol: targeted
|
|
# chose onf or enfocing or permissive
|
|
rhel9cis_selinux_enforce: enforcing
|
|
|
|
# Whether or not to run tasks related to auditing/patching the desktop environment
|
|
|
|
## 2. Services
|
|
|
|
|
|
### 2.1 Time Synchronization
|
|
#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
|
|
rhel9cis_time_synchronization_servers:
|
|
- 0.pool.ntp.org
|
|
- 1.pool.ntp.org
|
|
- 2.pool.ntp.org
|
|
- 3.pool.ntp.org
|
|
rhel9cis_chrony_server_options: "minpoll 8"
|
|
|
|
### 2.2 Special Purposes
|
|
##### Service configuration booleans set true to keep service
|
|
rhel9cis_gui: false
|
|
rhel9cis_avahi_server: false
|
|
rhel9cis_cups_server: false
|
|
rhel9cis_dhcp_server: false
|
|
rhel9cis_dns_server: false
|
|
rhel9cis_dnsmasq_server: false
|
|
rhel9cis_vsftpd_server: false
|
|
rhel9cis_tftp_server: false
|
|
rhel9cis_httpd_server: false
|
|
rhel9cis_nginx_server: false
|
|
rhel9cis_dovecot_server: false
|
|
rhel9cis_imap_server: false
|
|
rhel9cis_samba_server: false
|
|
rhel9cis_squid_server: false
|
|
rhel9cis_snmp_server: false
|
|
rhel9cis_telnet_server: false
|
|
rhel9cis_is_mail_server: false
|
|
# Note the options
|
|
# Packages are used for client services and Server- only remove if you dont use the client service
|
|
#
|
|
|
|
rhel9cis_use_nfs_server: false
|
|
rhel9cis_use_nfs_service: false
|
|
|
|
rhel9cis_use_rpc_server: false
|
|
rhel9cis_use_rpc_service: false
|
|
|
|
rhel9cis_use_rsync_server: false
|
|
rhel9cis_use_rsync_service: false
|
|
|
|
#### 2.3 Service clients
|
|
rhel9cis_telnet_required: false
|
|
rhel9cis_openldap_clients_required: false
|
|
rhel9cis_tftp_client: false
|
|
rhel9cis_ftp_client: false
|
|
|
|
|
|
## Section3 vars
|
|
## Sysctl
|
|
sysctl_update: false
|
|
flush_ipv4_route: false
|
|
flush_ipv6_route: false
|
|
|
|
### Firewall Service - either firewalld, iptables, or nftables
|
|
#### Some control allow for services to be removed or masked
|
|
#### The options are under each heading
|
|
#### absent = remove the package
|
|
#### masked = leave package if installed and mask the service
|
|
rhel9cis_firewall: firewalld
|
|
|
|
##### firewalld
|
|
rhel9cis_default_zone: public
|
|
|
|
|
|
# These are added to demonstrate how this can be done
|
|
rhel9cis_firewalld_ports:
|
|
- number: 80
|
|
protocol: tcp
|
|
|
|
#### nftables
|
|
rhel9cis_nft_tables_autonewtable: true
|
|
rhel9cis_nft_tables_tablename: filter
|
|
rhel9cis_nft_tables_autochaincreate: true
|
|
|
|
# Warning Banner Content (issue, issue.net, motd)
|
|
rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported.
|
|
# End Banner
|
|
|
|
## Section4 vars
|
|
### 4.1 Configure System Accounting
|
|
#### 4.1.2 Configure Data Retention
|
|
rhel9cis_auditd:
|
|
space_left_action: email
|
|
action_mail_acct: root
|
|
admin_space_left_action: halt
|
|
max_log_file_action: keep_logs
|
|
|
|
# The audit_back_log_limit value should never be below 8192
|
|
rhel9cis_audit_back_log_limit: 8192
|
|
|
|
# The max_log_file parameter should be based on your sites policy
|
|
rhel9cis_max_log_file_size: 10
|
|
|
|
### 4.1.3.x audit template
|
|
update_audit_template: false
|
|
|
|
## Advanced option found in auditd post
|
|
allow_auditd_uid_user_exclusions: false
|
|
|
|
|
|
# This can be used to configure other keys in auditd.conf
|
|
rhel9cis_auditd_extra_conf: {}
|
|
# Example:
|
|
# rhel9cis_auditd_extra_conf:
|
|
# admin_space_left: '10%'
|
|
|
|
## Preferred method of logging
|
|
## Whether rsyslog or journald preferred method for local logging
|
|
## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
|
|
rhel9cis_syslog: rsyslog
|
|
rhel9cis_rsyslog_ansiblemanaged: true
|
|
|
|
#### 4.2.1.6 remote and destation log server name
|
|
rhel9cis_remote_log_server: false
|
|
rhel9cis_remote_log_host: logagg.example.com
|
|
rhel9cis_remote_log_port: 514
|
|
rhel9cis_remote_log_protocol: tcp
|
|
rhel9cis_remote_log_retrycount: 100
|
|
rhel9cis_remote_log_queuesize: 1000
|
|
|
|
|
|
#### 4.2.1.7
|
|
rhel9cis_system_is_log_server: false
|
|
|
|
# 4.2.2.1.2
|
|
# rhel9cis_journal_upload_url is the ip address to upload the journal entries to
|
|
rhel9cis_journal_upload_url: 192.168.50.42
|
|
# The paths below have the default paths/files, but allow user to create custom paths/filenames
|
|
rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
|
|
rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
|
|
rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
|
|
|
|
# 4.2.2.1
|
|
# The variables below related to journald, please set these to your site specific values
|
|
# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use
|
|
rhel9cis_journald_systemmaxuse: 10M
|
|
# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free
|
|
rhel9cis_journald_systemkeepfree: 100G
|
|
rhel9cis_journald_runtimemaxuse: 10M
|
|
rhel9cis_journald_runtimekeepfree: 100G
|
|
# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
|
|
rhel9cis_journald_maxfilesec: 1month
|
|
|
|
#### 4.3
|
|
rhel9cis_logrotate: "daily"
|
|
|
|
## Section5 vars
|
|
|
|
# This will allow use of drop in files when CIS adopts them.
|
|
rhel9_cis_sshd_config_file: /etc/ssh/sshd_config
|
|
|
|
rhel9cis_sshd:
|
|
clientalivecountmax: 0
|
|
clientaliveinterval: 900
|
|
logingracetime: 60
|
|
# WARNING: make sure you understand the precedence when working with these values!!
|
|
# allowusers:
|
|
# allowgroups: systems dba
|
|
# denyusers:
|
|
# denygroups:
|
|
|
|
# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE
|
|
rhel9cis_ssh_loglevel: INFO
|
|
|
|
# 5.2.19 SSH MaxSessions setting. Must be 4 our less
|
|
rhel9cis_ssh_maxsessions: 4
|
|
rhel9cis_inactivelock:
|
|
lock_days: 30
|
|
|
|
|
|
rhel9cis_use_authconfig: false
|
|
# 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example
|
|
# Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk
|
|
rhel9cis_authselect:
|
|
custom_profile_name: custom-profile
|
|
default_file_to_copy: "sssd --symlink-meta"
|
|
options: with-sudo with-faillock without-nullok
|
|
|
|
# 5.3.1 Enable automation to create custom profile settings, using the settings above
|
|
rhel9cis_authselect_custom_profile_create: false
|
|
|
|
# 5.3.2 Enable automation to select custom profile options, using the settings above
|
|
rhel9cis_authselect_custom_profile_select: false
|
|
|
|
|
|
rhel9cis_pass:
|
|
max_days: 365
|
|
min_days: 7
|
|
warn_age: 7
|
|
|
|
# 5.5.1
|
|
## PAM
|
|
rhel9cis_pam_password:
|
|
minlen: 14
|
|
minclass: 4
|
|
|
|
rhel9cis_pam_faillock:
|
|
unlock_time: 900
|
|
deny: 5
|
|
remember: 5
|
|
|
|
# UID settings for interactive users
|
|
# These are discovered via logins.def if set true
|
|
discover_int_uid: false
|
|
min_int_uid: 1000
|
|
max_int_uid: 65533
|
|
|
|
# 5.3.3 var log location variable
|
|
rhel9cis_sudolog_location: "/var/log/sudo.log"
|
|
|
|
#### 5.3.6
|
|
rhel9cis_sudo_timestamp_timeout: 15
|
|
|
|
### 5.4.2 authselect and faillock
|
|
## This option is used at your own risk it will enable faillock for users
|
|
## Only to be used on a new clean system if not using authselect
|
|
## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ##
|
|
rhel9cis_add_faillock_without_authselect: false
|
|
# This needs to be set to ACCEPT
|
|
rhel9cis_5_4_2_risks: NEVER
|
|
|
|
# RHEL-09-5.4.5
|
|
# Session timeout setting file (TMOUT setting can be set in multiple files)
|
|
# Timeout value is in seconds. (60 seconds * 10 = 600)
|
|
rhel9cis_shell_session_timeout:
|
|
file: /etc/profile.d/tmout.sh
|
|
timeout: 600
|
|
# RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
|
|
rhel9cis_futurepwchgdate_autofix: true
|
|
|
|
# 5.7
|
|
# rhel9cis_sugroup: sugroup # change accordingly wheel is default
|
|
|
|
# wheel users list please supply comma seperated e.g. "vagrant,root"
|
|
rhel9cis_sugroup_users: "root"
|
|
|
|
## Section6 vars
|
|
|
|
# RHEL-09_6.1.1
|
|
rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check
|
|
|
|
# RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable
|
|
rhel9cis_no_world_write_adjust: true
|
|
rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
|
|
|
|
|
|
# 6.2.16
|
|
## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj
|
|
rhel_09_6_2_16_home_follow_symlinks: false
|
|
|
|
|
|
|
|
#### Goss Configuration Settings ####
|
|
# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
|
|
audit_run_script_environment:
|
|
AUDIT_BIN: "{{ audit_bin }}"
|
|
AUDIT_FILE: 'goss.yml'
|
|
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
|
|
|
|
|
|
### Goss binary settings ###
|
|
goss_version:
|
|
release: v0.3.21
|
|
checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3'
|
|
audit_bin_path: /usr/local/bin/
|
|
audit_bin: "{{ audit_bin_path }}goss"
|
|
audit_format: json
|
|
|
|
# if get_goss_file == download change accordingly
|
|
goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
|
|
|
|
## if get_goss_file - copy the following needs to be updated for your environment
|
|
## it is expected that it will be copied from somewhere accessible to the control node
|
|
## e.g copy from ansible control node to remote host
|
|
copy_goss_from_path: /some/accessible/path
|
|
|
|
### Goss Audit Benchmark file ###
|
|
## managed by the control audit_content
|
|
# git
|
|
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
|
|
audit_git_version: "benchmark_{{ benchmark_version }}"
|
|
|
|
# copy:
|
|
audit_local_copy: "some path to copy from"
|
|
|
|
# get_url:
|
|
audit_files_url: "some url maybe s3?"
|
|
|
|
## Goss configuration information
|
|
# Where the goss configs and outputs are stored
|
|
audit_out_dir: '/opt'
|
|
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
|
|
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
|
|
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
|
|
|
|
## The following should not need changing
|
|
goss_file: "{{ audit_conf_dir }}goss.yml"
|
|
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
|
|
audit_results: |
|
|
The pre remediation results are: {{ pre_audit_summary }}.
|
|
The post remediation results are: {{ post_audit_summary }}.
|
|
Full breakdown can be found in {{ audit_out_dir }}
|