forked from ansible-lockdown/RHEL9-CIS
46 lines
1.5 KiB
YAML
46 lines
1.5 KiB
YAML
---
|
|
# vars file for RHEL9-CIS
|
|
|
|
min_ansible_version: 2.10.1
|
|
rhel9cis_allowed_crypto_policies:
|
|
- 'DEFAULT'
|
|
- 'FUTURE'
|
|
- 'FIPS'
|
|
|
|
rhel9cis_allowed_crypto_policies_modules:
|
|
- 'OSPP'
|
|
- 'AD-SUPPORT'
|
|
- 'AD-SUPPORT-LEGACY'
|
|
- 'NO-SHA1'
|
|
- 'NO-SSHCBC'
|
|
- 'NO-SSHETM'
|
|
- 'NO-SSHWEAKCIPHER'
|
|
- 'NO-SSHWEAKMAC'
|
|
- 'NO-WEAKMAC'
|
|
|
|
# Used to control warning summary
|
|
warn_control_list: ""
|
|
warn_count: 0
|
|
|
|
gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
|
|
|
|
## Control 6.3.3.x - Audit template
|
|
# This variable governs if the auditd logic should be executed(if value is true).
|
|
# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules').
|
|
update_audit_template: false
|
|
|
|
# Defaults
|
|
## Usage on containerized images
|
|
# The role discovers dynamically (in tasks/main.yml) whether it
|
|
# is executed on a container image and sets the variable
|
|
# system_is_container the true. Otherwise, the default value
|
|
# 'false' is left unchanged.
|
|
system_is_container: false
|
|
# The filename of the existing yml file in role's 'vars/' sub-directory
|
|
# to be used for managing the role-behavior when a container was detected:
|
|
# (de)activating rules or for other tasks(e.g. disabling Selinux or a specific
|
|
# firewall-type).
|
|
container_vars_file: is_container.yml
|
|
# rhel9cis is left off the front of this var for consistency in testing pipeline
|
|
# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
|
|
system_is_ec2: false
|