ansible-towers/ansible-role-rhel9-cis
1
0
Fork 0
mirror of https://github.com/RedHatOfficial/ansible-role-rhel9-cis.git synced 2026-02-10 09:22:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated defaults/main.yml

Browse Source
This commit is contained in:
ComplianceAsCode development team
2023-07-24 20:40:09 -04:00
committed by Dan Clark
parent 67554ee0cf
commit 3ba3ffd565
1 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
defaults/main.yml
View File

@@ -7,6 +7,8 @@ var_sudo_logfile: /var/log/sudo.log
var_sudo_timestamp_timeout: '5'
var_authselect_profile: sssd
login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
remote_login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
motd_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
var_password_pam_remember: '5'
var_password_pam_remember_control_flag: requisite,required
var_accounts_passwords_pam_faillock_deny: '3'
@@ -46,6 +48,8 @@ sysctl_net_ipv4_conf_default_secure_redirects_value: '0'
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
sysctl_net_ipv4_tcp_syncookies_value: '1'
var_nftables_family: inet
var_nftables_table: firewalld
var_selinux_policy_name: targeted
var_selinux_state: enforcing
var_postfix_inet_interfaces: loopback-only
@@ -77,6 +81,7 @@ accounts_umask_etc_login_defs: true
accounts_umask_etc_profile: true
accounts_user_interactive_home_directory_exists: true
aide_build_database: true
aide_check_audit_tools: true
aide_periodic_cron_checking: true
audit_rules_dac_modification_chmod: true
audit_rules_dac_modification_chown: true
@@ -99,14 +104,19 @@ audit_rules_file_deletion_events_renameat: true
audit_rules_file_deletion_events_unlink: true
audit_rules_file_deletion_events_unlinkat: true
audit_rules_immutable: true
audit_rules_kernel_module_loading_create: true
audit_rules_kernel_module_loading_delete: true
audit_rules_kernel_module_loading_finit: true
audit_rules_kernel_module_loading_init: true
audit_rules_kernel_module_loading_query: true
audit_rules_login_events_faillock: true
audit_rules_login_events_lastlog: true
audit_rules_mac_modification: true
audit_rules_mac_modification_usr_share: true
audit_rules_media_export: true
audit_rules_networkconfig_modification: true
audit_rules_privileged_commands: true
audit_rules_privileged_commands_kmod: true
audit_rules_privileged_commands_usermod: true
audit_rules_session_events: true
audit_rules_suid_privilege_function: true
@@ -207,8 +217,11 @@ file_owner_sshd_config: true
file_owner_user_cfg: true
file_ownership_audit_binaries: true
file_ownership_audit_configuration: true
file_ownership_sshd_private_key: true
file_ownership_sshd_pub_key: true
file_permissions_at_allow: true
file_permissions_audit_binaries: true
file_permissions_audit_configuration: true
file_permissions_backup_etc_group: true
file_permissions_backup_etc_gshadow: true
file_permissions_backup_etc_passwd: true
@@ -234,6 +247,8 @@ file_permissions_sshd_private_key: true
file_permissions_sshd_pub_key: true
file_permissions_user_cfg: true
file_permissions_var_log_audit: true
firewalld_loopback_traffic_restricted: true
firewalld_loopback_traffic_trusted: true
gnome_gdm_disable_xdmcp: true
grub2_audit_argument: true
grub2_audit_backlog_limit_argument: true
@@ -273,8 +288,10 @@ mount_option_var_tmp_noexec: true
mount_option_var_tmp_nosuid: true
no_empty_passwords: true
no_empty_passwords_etc_shadow: true
no_password_auth_for_systemaccounts: true
no_reboot_needed: true
no_rsh_trust_files: true
no_shelllogin_for_systemaccounts: true
package_aide_installed: true
package_audit_installed: true
package_avahi_removed: true
@@ -312,15 +329,19 @@ rsyslog_filecreatemode: true
rsyslog_files_groupownership: true
rsyslog_files_ownership: true
rsyslog_files_permissions: true
rsyslog_nolisten: true
selinux_not_disabled: true
selinux_policytype: true
selinux_state: true
service_auditd_enabled: true
service_crond_enabled: true
service_firewalld_enabled: true
service_nfs_disabled: true
service_nftables_disabled: true
service_rpcbind_disabled: true
service_rsyslog_enabled: true
service_systemd_journald_enabled: true
set_nftables_table: true
set_password_hashing_algorithm_logindefs: true
set_password_hashing_algorithm_passwordauth: true
set_password_hashing_algorithm_systemauth: true