ansible-towers/ansible-role-rhel9-cis
1
0
Fork 0
mirror of https://github.com/RedHatOfficial/ansible-role-rhel9-cis.git synced 2026-02-10 09:22:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated defaults/main.yml

Browse Source
This commit is contained in:
ComplianceAsCode development team
2022-10-05 23:55:37 -04:00
committed by Dan Clark
parent fd56bec0ef
commit 97a58a6497
1 changed files with 327 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

328
defaults/main.yml
View File

@@ -1,2 +1,328 @@
---
# defaults file for ansible-role-rhel9-cis
# defaults file for rhel9_cis
var_system_crypto_policy: DEFAULT
var_sudo_logfile: /var/log/sudo.log
var_sudo_timestamp_timeout: '5'
var_authselect_profile: sssd
login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
var_password_pam_remember: '5'
var_password_pam_remember_control_flag: required
var_accounts_passwords_pam_faillock_deny: '3'
var_accounts_passwords_pam_faillock_unlock_time: '900'
var_password_pam_minclass: '4'
var_password_pam_minlen: '14'
var_password_pam_retry: '3'
var_account_disable_post_pw_expiration: '30'
var_accounts_maximum_age_login_defs: '365'
var_accounts_minimum_age_login_defs: '7'
var_accounts_password_warn_age_login_defs: '7'
var_accounts_tmout: '900'
var_accounts_user_umask: '027'
var_auditd_action_mail_acct: root
var_auditd_admin_space_left_action: halt
var_auditd_max_log_file: '6'
var_auditd_max_log_file_action: keep_logs
var_auditd_space_left_action: email
sysctl_net_ipv6_conf_all_accept_ra_value: '0'
sysctl_net_ipv6_conf_all_accept_redirects_value: '0'
sysctl_net_ipv6_conf_all_accept_source_route_value: '0'
sysctl_net_ipv6_conf_all_forwarding_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_value: '0'
sysctl_net_ipv6_conf_default_accept_redirects_value: '0'
sysctl_net_ipv6_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_accept_redirects_value: '0'
sysctl_net_ipv4_conf_all_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_log_martians_value: '1'
sysctl_net_ipv4_conf_all_rp_filter_value: '1'
sysctl_net_ipv4_conf_all_secure_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_default_log_martians_value: '1'
sysctl_net_ipv4_conf_default_rp_filter_value: '1'
sysctl_net_ipv4_conf_default_secure_redirects_value: '0'
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
sysctl_net_ipv4_tcp_syncookies_value: '1'
var_selinux_policy_name: targeted
var_selinux_state: enforcing
var_postfix_inet_interfaces: loopback-only
var_multiple_time_servers: 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org
var_sshd_set_keepalive: '0'
sshd_idle_timeout_value: '900'
var_sshd_set_login_grace_time: '60'
sshd_max_auth_tries_value: '4'
var_sshd_max_sessions: '10'
var_sshd_set_maxstartups: 10:30:60
account_disable_post_pw_expiration: true
accounts_maximum_age_login_defs: true
accounts_minimum_age_login_defs: true
accounts_password_pam_minclass: true
accounts_password_pam_minlen: true
accounts_password_pam_pwhistory_remember_password_auth: true
accounts_password_pam_pwhistory_remember_system_auth: true
accounts_password_pam_retry: true
accounts_password_set_max_life_existing: true
accounts_password_warn_age_login_defs: true
accounts_passwords_pam_faillock_deny: true
accounts_passwords_pam_faillock_unlock_time: true
accounts_root_path_dirs_no_write: true
accounts_tmout: true
accounts_umask_etc_bashrc: true
accounts_umask_etc_login_defs: true
accounts_umask_etc_profile: true
accounts_user_interactive_home_directory_exists: true
aide_build_database: true
aide_periodic_cron_checking: true
audit_rules_dac_modification_chmod: true
audit_rules_dac_modification_chown: true
audit_rules_dac_modification_fchmod: true
audit_rules_dac_modification_fchmodat: true
audit_rules_dac_modification_fchown: true
audit_rules_dac_modification_fchownat: true
audit_rules_dac_modification_fremovexattr: true
audit_rules_dac_modification_fsetxattr: true
audit_rules_dac_modification_lchown: true
audit_rules_dac_modification_lremovexattr: true
audit_rules_dac_modification_lsetxattr: true
audit_rules_dac_modification_removexattr: true
audit_rules_dac_modification_setxattr: true
audit_rules_file_deletion_events_rename: true
audit_rules_file_deletion_events_renameat: true
audit_rules_file_deletion_events_unlink: true
audit_rules_file_deletion_events_unlinkat: true
audit_rules_immutable: true
audit_rules_kernel_module_loading_delete: true
audit_rules_kernel_module_loading_init: true
audit_rules_login_events_faillock: true
audit_rules_login_events_lastlog: true
audit_rules_mac_modification: true
audit_rules_media_export: true
audit_rules_networkconfig_modification: true
audit_rules_session_events: true
audit_rules_sysadmin_actions: true
audit_rules_time_adjtimex: true
audit_rules_time_clock_settime: true
audit_rules_time_stime: true
audit_rules_time_watch_localtime: true
audit_rules_unsuccessful_file_modification_creat: true
audit_rules_unsuccessful_file_modification_ftruncate: true
audit_rules_unsuccessful_file_modification_open: true
audit_rules_unsuccessful_file_modification_openat: true
audit_rules_unsuccessful_file_modification_truncate: true
audit_rules_usergroup_modification_group: true
audit_rules_usergroup_modification_gshadow: true
audit_rules_usergroup_modification_opasswd: true
audit_rules_usergroup_modification_passwd: true
audit_rules_usergroup_modification_shadow: true
auditd_data_retention_action_mail_acct: true
auditd_data_retention_admin_space_left_action: true
auditd_data_retention_max_log_file: true
auditd_data_retention_max_log_file_action: true
auditd_data_retention_space_left_action: true
banner_etc_issue: true
banner_etc_motd: true
chronyd_specify_remote_server: true
configure_crypto_policy: true
configure_ssh_crypto_policy: true
configure_strategy: true
coredump_disable_backtraces: true
coredump_disable_storage: true
dconf_gnome_banner_enabled: true
dconf_gnome_login_banner_text: true
dir_perms_world_writable_sticky_bits: true
disable_host_auth: true
disable_strategy: true
enable_authselect: true
enable_strategy: true
ensure_gpgcheck_globally_activated: true
file_at_deny_not_exist: true
file_cron_deny_not_exist: true
file_groupowner_at_allow: true
file_groupowner_backup_etc_group: true
file_groupowner_backup_etc_gshadow: true
file_groupowner_backup_etc_passwd: true
file_groupowner_backup_etc_shadow: true
file_groupowner_cron_allow: true
file_groupowner_cron_d: true
file_groupowner_cron_daily: true
file_groupowner_cron_hourly: true
file_groupowner_cron_monthly: true
file_groupowner_cron_weekly: true
file_groupowner_crontab: true
file_groupowner_etc_group: true
file_groupowner_etc_gshadow: true
file_groupowner_etc_passwd: true
file_groupowner_etc_shadow: true
file_groupowner_grub2_cfg: true
file_groupowner_sshd_config: true
file_groupownership_home_directories: true
file_owner_backup_etc_group: true
file_owner_backup_etc_gshadow: true
file_owner_backup_etc_passwd: true
file_owner_backup_etc_shadow: true
file_owner_cron_allow: true
file_owner_cron_d: true
file_owner_cron_daily: true
file_owner_cron_hourly: true
file_owner_cron_monthly: true
file_owner_cron_weekly: true
file_owner_crontab: true
file_owner_etc_group: true
file_owner_etc_gshadow: true
file_owner_etc_passwd: true
file_owner_etc_shadow: true
file_owner_grub2_cfg: true
file_owner_sshd_config: true
file_permissions_at_allow: true
file_permissions_backup_etc_group: true
file_permissions_backup_etc_gshadow: true
file_permissions_backup_etc_passwd: true
file_permissions_backup_etc_shadow: true
file_permissions_cron_allow: true
file_permissions_cron_d: true
file_permissions_cron_daily: true
file_permissions_cron_hourly: true
file_permissions_cron_monthly: true
file_permissions_cron_weekly: true
file_permissions_crontab: true
file_permissions_efi_grub2_cfg: true
file_permissions_etc_group: true
file_permissions_etc_gshadow: true
file_permissions_etc_issue: true
file_permissions_etc_motd: true
file_permissions_etc_passwd: true
file_permissions_etc_shadow: true
file_permissions_grub2_cfg: true
file_permissions_home_directories: true
file_permissions_sshd_config: true
file_permissions_sshd_pub_key: true
grub2_audit_argument: true
grub2_audit_backlog_limit_argument: true
grub2_enable_selinux: true
high_disruption: true
high_severity: true
journald_compress: true
journald_forward_to_syslog: true
journald_storage: true
kernel_module_cramfs_disabled: true
kernel_module_dccp_disabled: true
kernel_module_sctp_disabled: true
kernel_module_squashfs_disabled: true
kernel_module_udf_disabled: true
low_complexity: true
low_disruption: true
low_severity: true
medium_complexity: true
medium_disruption: true
medium_severity: true
mount_option_dev_shm_nodev: true
mount_option_dev_shm_noexec: true
mount_option_dev_shm_nosuid: true
mount_option_home_nodev: true
mount_option_home_nosuid: true
mount_option_tmp_nodev: true
mount_option_tmp_noexec: true
mount_option_tmp_nosuid: true
mount_option_var_log_audit_nodev: true
mount_option_var_log_audit_noexec: true
mount_option_var_log_audit_nosuid: true
mount_option_var_log_nodev: true
mount_option_var_log_noexec: true
mount_option_var_log_nosuid: true
mount_option_var_nodev: true
mount_option_var_noexec: true
mount_option_var_nosuid: true
mount_option_var_tmp_nodev: true
mount_option_var_tmp_noexec: true
mount_option_var_tmp_nosuid: true
no_empty_passwords_etc_shadow: true
no_reboot_needed: true
no_rsh_trust_files: true
package_aide_installed: true
package_audit_installed: true
package_dovecot_removed: true
package_firewalld_installed: true
package_httpd_removed: true
package_libselinux_installed: true
package_mcstrans_removed: true
package_net_snmp_removed: true
package_openldap_clients_removed: true
package_rsh_removed: true
package_rsyslog_installed: true
package_samba_removed: true
package_setroubleshoot_removed: true
package_squid_removed: true
package_sudo_installed: true
package_talk_removed: true
package_telnet_removed: true
package_telnet_server_removed: true
package_tftp_removed: true
package_tftp_server_removed: true
package_vsftpd_removed: true
package_xinetd_removed: true
package_xorg_x11_server_common_removed: true
package_ypbind_removed: true
package_ypserv_removed: true
postfix_network_listening_disabled: true
reboot_required: true
require_emergency_target_auth: true
require_singleuser_auth: true
restrict_strategy: true
rsyslog_files_permissions: true
selinux_policytype: true
selinux_state: true
service_auditd_enabled: true
service_autofs_disabled: true
service_crond_enabled: true
service_firewalld_enabled: true
service_nfs_disabled: true
service_rsyslog_enabled: true
service_systemd_journald_enabled: true
set_password_hashing_algorithm_passwordauth: true
set_password_hashing_algorithm_systemauth: true
sshd_disable_empty_passwords: true
sshd_disable_rhosts: true
sshd_disable_root_login: true
sshd_disable_tcp_forwarding: true
sshd_disable_x11_forwarding: true
sshd_do_not_permit_user_env: true
sshd_enable_pam: true
sshd_set_idle_timeout: true
sshd_set_keepalive: true
sshd_set_login_grace_time: true
sshd_set_loglevel_verbose: true
sshd_set_max_auth_tries: true
sshd_set_max_sessions: true
sshd_set_maxstartups: true
sudo_add_use_pty: true
sudo_custom_logfile: true
sudo_require_authentication: true
sudo_require_reauthentication: true
sysctl_kernel_randomize_va_space: true
sysctl_net_ipv4_conf_all_accept_redirects: true
sysctl_net_ipv4_conf_all_accept_source_route: true
sysctl_net_ipv4_conf_all_log_martians: true
sysctl_net_ipv4_conf_all_rp_filter: true
sysctl_net_ipv4_conf_all_secure_redirects: true
sysctl_net_ipv4_conf_all_send_redirects: true
sysctl_net_ipv4_conf_default_accept_redirects: true
sysctl_net_ipv4_conf_default_accept_source_route: true
sysctl_net_ipv4_conf_default_log_martians: true
sysctl_net_ipv4_conf_default_rp_filter: true
sysctl_net_ipv4_conf_default_secure_redirects: true
sysctl_net_ipv4_conf_default_send_redirects: true
sysctl_net_ipv4_icmp_echo_ignore_broadcasts: true
sysctl_net_ipv4_icmp_ignore_bogus_error_responses: true
sysctl_net_ipv4_ip_forward: true
sysctl_net_ipv4_tcp_syncookies: true
sysctl_net_ipv6_conf_all_accept_ra: true
sysctl_net_ipv6_conf_all_accept_redirects: true
sysctl_net_ipv6_conf_all_accept_source_route: true
sysctl_net_ipv6_conf_all_forwarding: true
sysctl_net_ipv6_conf_default_accept_ra: true
sysctl_net_ipv6_conf_default_accept_redirects: true
sysctl_net_ipv6_conf_default_accept_source_route: true
unknown_severity: true
unknown_strategy: true
use_pam_wheel_for_su: true
wireless_disable_interfaces: true