Updated defaults/main.yml

defaults/main.yml

@@ -1,12 +1,14 @@
 ---
 # defaults file for rhel9_cis
 var_system_crypto_policy: DEFAULT
+inactivity_timeout_value: '900'
+var_screensaver_lock_delay: '5'
 var_sudo_logfile: /var/log/sudo.log
 var_sudo_timestamp_timeout: '5'
 var_authselect_profile: sssd
 login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
 var_password_pam_remember: '5'
-var_password_pam_remember_control_flag: required
+var_password_pam_remember_control_flag: requisite
 var_accounts_passwords_pam_faillock_deny: '3'
 var_accounts_passwords_pam_faillock_unlock_time: '900'
 var_password_pam_minclass: '4'
@@ -14,7 +16,7 @@ var_password_pam_minlen: '14'
 var_password_pam_retry: '3'
 var_account_disable_post_pw_expiration: '30'
 var_accounts_maximum_age_login_defs: '365'
-var_accounts_minimum_age_login_defs: '7'
+var_accounts_minimum_age_login_defs: '1'
 var_accounts_password_warn_age_login_defs: '7'
 var_accounts_tmout: '900'
 var_accounts_user_umask: '027'
@@ -86,6 +88,9 @@ audit_rules_dac_modification_lremovexattr: true
 audit_rules_dac_modification_lsetxattr: true
 audit_rules_dac_modification_removexattr: true
 audit_rules_dac_modification_setxattr: true
+audit_rules_execution_chacl: true
+audit_rules_execution_chcon: true
+audit_rules_execution_setfacl: true
 audit_rules_file_deletion_events_rename: true
 audit_rules_file_deletion_events_renameat: true
 audit_rules_file_deletion_events_unlink: true
@@ -98,10 +103,13 @@ audit_rules_login_events_lastlog: true
 audit_rules_mac_modification: true
 audit_rules_media_export: true
 audit_rules_networkconfig_modification: true
+audit_rules_privileged_commands_usermod: true
 audit_rules_session_events: true
+audit_rules_suid_privilege_function: true
 audit_rules_sysadmin_actions: true
 audit_rules_time_adjtimex: true
 audit_rules_time_clock_settime: true
+audit_rules_time_settimeofday: true
 audit_rules_time_stime: true
 audit_rules_time_watch_localtime: true
 audit_rules_unsuccessful_file_modification_creat: true
@@ -114,6 +122,7 @@ audit_rules_usergroup_modification_gshadow: true
 audit_rules_usergroup_modification_opasswd: true
 audit_rules_usergroup_modification_passwd: true
 audit_rules_usergroup_modification_shadow: true
+audit_sudo_log_events: true
 auditd_data_retention_action_mail_acct: true
 auditd_data_retention_admin_space_left_action: true
 auditd_data_retention_max_log_file: true
@@ -131,8 +140,13 @@ coredump_disable_storage: true
 dconf_gnome_banner_enabled: true
 dconf_gnome_disable_automount: true
 dconf_gnome_disable_automount_open: true
+dconf_gnome_disable_autorun: true
 dconf_gnome_disable_user_list: true
 dconf_gnome_login_banner_text: true
+dconf_gnome_screensaver_idle_delay: true
+dconf_gnome_screensaver_lock_delay: true
+dconf_gnome_screensaver_user_locks: true
+dconf_gnome_session_idle_user_locks: true
 dir_perms_world_writable_sticky_bits: true
 disable_host_auth: true
 disable_strategy: true
@@ -153,15 +167,18 @@ file_groupowner_cron_hourly: true
 file_groupowner_cron_monthly: true
 file_groupowner_cron_weekly: true
 file_groupowner_crontab: true
-file_groupowner_efi_user_cfg: true
 file_groupowner_etc_group: true
 file_groupowner_etc_gshadow: true
+file_groupowner_etc_issue: true
 file_groupowner_etc_issue_net: true
+file_groupowner_etc_motd: true
 file_groupowner_etc_passwd: true
 file_groupowner_etc_shadow: true
 file_groupowner_grub2_cfg: true
 file_groupowner_sshd_config: true
 file_groupowner_user_cfg: true
+file_groupownership_audit_binaries: true
+file_groupownership_audit_configuration: true
 file_groupownership_home_directories: true
 file_owner_backup_etc_group: true
 file_owner_backup_etc_gshadow: true
@@ -174,16 +191,20 @@ file_owner_cron_hourly: true
 file_owner_cron_monthly: true
 file_owner_cron_weekly: true
 file_owner_crontab: true
-file_owner_efi_user_cfg: true
 file_owner_etc_group: true
 file_owner_etc_gshadow: true
+file_owner_etc_issue: true
 file_owner_etc_issue_net: true
+file_owner_etc_motd: true
 file_owner_etc_passwd: true
 file_owner_etc_shadow: true
 file_owner_grub2_cfg: true
 file_owner_sshd_config: true
 file_owner_user_cfg: true
+file_ownership_audit_binaries: true
+file_ownership_audit_configuration: true
 file_permissions_at_allow: true
+file_permissions_audit_binaries: true
 file_permissions_backup_etc_group: true
 file_permissions_backup_etc_gshadow: true
 file_permissions_backup_etc_passwd: true
@@ -195,8 +216,6 @@ file_permissions_cron_hourly: true
 file_permissions_cron_monthly: true
 file_permissions_cron_weekly: true
 file_permissions_crontab: true
-file_permissions_efi_grub2_cfg: true
-file_permissions_efi_user_cfg: true
 file_permissions_etc_group: true
 file_permissions_etc_gshadow: true
 file_permissions_etc_issue: true
@@ -207,8 +226,10 @@ file_permissions_etc_shadow: true
 file_permissions_grub2_cfg: true
 file_permissions_home_directories: true
 file_permissions_sshd_config: true
+file_permissions_sshd_private_key: true
 file_permissions_sshd_pub_key: true
 file_permissions_user_cfg: true
+file_permissions_var_log_audit: true
 gnome_gdm_disable_xdmcp: true
 grub2_audit_argument: true
 grub2_audit_backlog_limit_argument: true
@@ -218,10 +239,8 @@ high_severity: true
 journald_compress: true
 journald_forward_to_syslog: true
 journald_storage: true
-kernel_module_cramfs_disabled: true
-kernel_module_dccp_disabled: true
-kernel_module_sctp_disabled: true
 kernel_module_squashfs_disabled: true
+kernel_module_tipc_disabled: true
 kernel_module_udf_disabled: true
 low_complexity: true
 low_disruption: true
@@ -232,10 +251,8 @@ medium_severity: true
 mount_option_dev_shm_nodev: true
 mount_option_dev_shm_noexec: true
 mount_option_dev_shm_nosuid: true
-mount_option_home_grpquota: true
 mount_option_home_nodev: true
 mount_option_home_nosuid: true
-mount_option_home_usrquota: true
 mount_option_tmp_nodev: true
 mount_option_tmp_noexec: true
 mount_option_tmp_nosuid: true
@@ -246,7 +263,6 @@ mount_option_var_log_nodev: true
 mount_option_var_log_noexec: true
 mount_option_var_log_nosuid: true
 mount_option_var_nodev: true
-mount_option_var_noexec: true
 mount_option_var_nosuid: true
 mount_option_var_tmp_nodev: true
 mount_option_var_tmp_noexec: true
@@ -256,42 +272,40 @@ no_reboot_needed: true
 no_rsh_trust_files: true
 package_aide_installed: true
 package_audit_installed: true
+package_bind_removed: true
+package_cups_removed: true
+package_dhcp_removed: true
 package_dovecot_removed: true
-package_firewalld_installed: true
+package_gdm_removed: true
 package_httpd_removed: true
 package_libselinux_installed: true
 package_mcstrans_removed: true
 package_net_snmp_removed: true
+package_nftables_installed: true
 package_openldap_clients_removed: true
-package_rsh_removed: true
+package_rsync_removed: true
 package_rsyslog_installed: true
 package_samba_removed: true
 package_setroubleshoot_removed: true
 package_squid_removed: true
 package_sudo_installed: true
-package_talk_removed: true
 package_telnet_removed: true
 package_telnet_server_removed: true
 package_tftp_removed: true
 package_tftp_server_removed: true
 package_vsftpd_removed: true
-package_xinetd_removed: true
 package_xorg_x11_server_common_removed: true
-package_ypbind_removed: true
-package_ypserv_removed: true
 postfix_network_listening_disabled: true
 reboot_required: true
-require_emergency_target_auth: true
-require_singleuser_auth: true
 restrict_strategy: true
 rsyslog_files_permissions: true
 selinux_policytype: true
 selinux_state: true
 service_auditd_enabled: true
-service_autofs_disabled: true
 service_crond_enabled: true
 service_firewalld_enabled: true
 service_nfs_disabled: true
+service_rpcbind_disabled: true
 service_rsyslog_enabled: true
 service_systemd_journald_enabled: true
 set_password_hashing_algorithm_passwordauth: true
@@ -303,6 +317,7 @@ sshd_disable_tcp_forwarding: true
 sshd_disable_x11_forwarding: true
 sshd_do_not_permit_user_env: true
 sshd_enable_pam: true
+sshd_enable_warning_banner: true
 sshd_set_idle_timeout: true
 sshd_set_keepalive: true
 sshd_set_login_grace_time: true