From 3ba3ffd565aee38cd297871bc321ab4115a84243 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Mon, 24 Jul 2023 20:40:09 -0400 Subject: [PATCH] Updated defaults/main.yml --- defaults/main.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 0c19030..0536744 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,6 +7,8 @@ var_sudo_logfile: /var/log/sudo.log var_sudo_timestamp_timeout: '5' var_authselect_profile: sssd login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ +remote_login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ +motd_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ var_password_pam_remember: '5' var_password_pam_remember_control_flag: requisite,required var_accounts_passwords_pam_faillock_deny: '3' @@ -46,6 +48,8 @@ sysctl_net_ipv4_conf_default_secure_redirects_value: '0' sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1' sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1' sysctl_net_ipv4_tcp_syncookies_value: '1' +var_nftables_family: inet +var_nftables_table: firewalld var_selinux_policy_name: targeted var_selinux_state: enforcing var_postfix_inet_interfaces: loopback-only @@ -77,6 +81,7 @@ accounts_umask_etc_login_defs: true accounts_umask_etc_profile: true accounts_user_interactive_home_directory_exists: true aide_build_database: true +aide_check_audit_tools: true aide_periodic_cron_checking: true audit_rules_dac_modification_chmod: true audit_rules_dac_modification_chown: true @@ -99,14 +104,19 @@ audit_rules_file_deletion_events_renameat: true audit_rules_file_deletion_events_unlink: true audit_rules_file_deletion_events_unlinkat: true audit_rules_immutable: true +audit_rules_kernel_module_loading_create: true audit_rules_kernel_module_loading_delete: true +audit_rules_kernel_module_loading_finit: true audit_rules_kernel_module_loading_init: true +audit_rules_kernel_module_loading_query: true audit_rules_login_events_faillock: true audit_rules_login_events_lastlog: true audit_rules_mac_modification: true audit_rules_mac_modification_usr_share: true audit_rules_media_export: true audit_rules_networkconfig_modification: true +audit_rules_privileged_commands: true +audit_rules_privileged_commands_kmod: true audit_rules_privileged_commands_usermod: true audit_rules_session_events: true audit_rules_suid_privilege_function: true @@ -207,8 +217,11 @@ file_owner_sshd_config: true file_owner_user_cfg: true file_ownership_audit_binaries: true file_ownership_audit_configuration: true +file_ownership_sshd_private_key: true +file_ownership_sshd_pub_key: true file_permissions_at_allow: true file_permissions_audit_binaries: true +file_permissions_audit_configuration: true file_permissions_backup_etc_group: true file_permissions_backup_etc_gshadow: true file_permissions_backup_etc_passwd: true @@ -234,6 +247,8 @@ file_permissions_sshd_private_key: true file_permissions_sshd_pub_key: true file_permissions_user_cfg: true file_permissions_var_log_audit: true +firewalld_loopback_traffic_restricted: true +firewalld_loopback_traffic_trusted: true gnome_gdm_disable_xdmcp: true grub2_audit_argument: true grub2_audit_backlog_limit_argument: true @@ -273,8 +288,10 @@ mount_option_var_tmp_noexec: true mount_option_var_tmp_nosuid: true no_empty_passwords: true no_empty_passwords_etc_shadow: true +no_password_auth_for_systemaccounts: true no_reboot_needed: true no_rsh_trust_files: true +no_shelllogin_for_systemaccounts: true package_aide_installed: true package_audit_installed: true package_avahi_removed: true @@ -312,15 +329,19 @@ rsyslog_filecreatemode: true rsyslog_files_groupownership: true rsyslog_files_ownership: true rsyslog_files_permissions: true +rsyslog_nolisten: true +selinux_not_disabled: true selinux_policytype: true selinux_state: true service_auditd_enabled: true service_crond_enabled: true service_firewalld_enabled: true service_nfs_disabled: true +service_nftables_disabled: true service_rpcbind_disabled: true service_rsyslog_enabled: true service_systemd_journald_enabled: true +set_nftables_table: true set_password_hashing_algorithm_logindefs: true set_password_hashing_algorithm_passwordauth: true set_password_hashing_algorithm_systemauth: true