From 9cecc69a6b59a6780e13a8d93a32eadabd93d759 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Thu, 30 Oct 2025 11:44:53 -0400 Subject: [PATCH] Updated defaults/main.yml --- defaults/main.yml | 98 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 69 insertions(+), 29 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b4936e3..66eb0bc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- # defaults file for rhel9_cis -var_system_crypto_policy: DEFAULT +var_system_crypto_policy: DEFAULT:NO-SHA1 inactivity_timeout_value: '900' var_screensaver_lock_delay: '5' var_sudo_logfile: /var/log/sudo.log @@ -9,20 +9,24 @@ var_authselect_profile: sssd login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ remote_login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ motd_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ -var_password_pam_remember: '5' +var_password_pam_remember: '24' var_password_pam_remember_control_flag: requisite,required -var_accounts_passwords_pam_faillock_deny: '3' +var_accounts_passwords_pam_faillock_deny: '5' var_accounts_passwords_pam_faillock_unlock_time: '900' +var_password_pam_dictcheck: '1' +var_password_pam_difok: '2' +var_password_pam_maxrepeat: '3' var_password_pam_minclass: '4' var_password_pam_minlen: '14' -var_password_pam_retry: '3' +var_password_hashing_algorithm_pam: sha512 var_password_hashing_algorithm: SHA512 -var_account_disable_post_pw_expiration: '30' +var_account_disable_post_pw_expiration: '45' var_accounts_maximum_age_login_defs: '365' var_accounts_minimum_age_login_defs: '1' var_accounts_password_warn_age_login_defs: '7' var_pam_wheel_group_for_su: sugroup var_accounts_tmout: '900' +var_user_initialization_files_regex: ^\.[\w\- ]+$ var_accounts_user_umask: '027' sysctl_net_ipv6_conf_all_accept_ra_value: '0' sysctl_net_ipv6_conf_all_accept_redirects_value: '0' @@ -44,37 +48,44 @@ sysctl_net_ipv4_conf_default_secure_redirects_value: '0' sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1' sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1' sysctl_net_ipv4_tcp_syncookies_value: '1' -var_nftables_family: inet -var_nftables_table: firewalld var_selinux_policy_name: targeted var_selinux_state: enforcing var_postfix_inet_interfaces: loopback-only var_multiple_time_servers: 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org var_sshd_set_keepalive: '1' -sshd_idle_timeout_value: '900' +sshd_idle_timeout_value: '300' var_sshd_set_login_grace_time: '60' sshd_max_auth_tries_value: '4' var_sshd_max_sessions: '10' var_sshd_set_maxstartups: 10:30:60 +sshd_strong_kex: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 +sshd_strong_macs: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com var_accounts_passwords_pam_faillock_dir: /var/run/faillock +var_auditd_disk_error_action: syslog|single|halt +var_auditd_disk_full_action: halt|single var_auditd_action_mail_acct: root -var_auditd_admin_space_left_action: halt +var_auditd_admin_space_left_action: single|halt var_auditd_max_log_file: '6' var_auditd_max_log_file_action: keep_logs -var_auditd_space_left_action: email +var_auditd_space_left_action: email|exec|single|halt DISA_STIG_RHEL_09_211020: true +DISA_STIG_RHEL_09_211030: true DISA_STIG_RHEL_09_211040: true DISA_STIG_RHEL_09_212025: true DISA_STIG_RHEL_09_212030: true DISA_STIG_RHEL_09_212055: true +DISA_STIG_RHEL_09_213060: true DISA_STIG_RHEL_09_213065: true DISA_STIG_RHEL_09_213070: true +DISA_STIG_RHEL_09_213080: true DISA_STIG_RHEL_09_213085: true DISA_STIG_RHEL_09_213090: true DISA_STIG_RHEL_09_214015: true DISA_STIG_RHEL_09_215015: true +DISA_STIG_RHEL_09_215030: true DISA_STIG_RHEL_09_215040: true DISA_STIG_RHEL_09_215060: true +DISA_STIG_RHEL_09_231040: true DISA_STIG_RHEL_09_231045: true DISA_STIG_RHEL_09_231050: true DISA_STIG_RHEL_09_231110: true @@ -93,6 +104,7 @@ DISA_STIG_RHEL_09_231170: true DISA_STIG_RHEL_09_231175: true DISA_STIG_RHEL_09_231180: true DISA_STIG_RHEL_09_231185: true +DISA_STIG_RHEL_09_231195: true DISA_STIG_RHEL_09_232040: true DISA_STIG_RHEL_09_232050: true DISA_STIG_RHEL_09_232055: true @@ -160,8 +172,8 @@ DISA_STIG_RHEL_09_255110: true DISA_STIG_RHEL_09_255115: true DISA_STIG_RHEL_09_255120: true DISA_STIG_RHEL_09_255125: true +DISA_STIG_RHEL_09_255135: true DISA_STIG_RHEL_09_255145: true -DISA_STIG_RHEL_09_255155: true DISA_STIG_RHEL_09_271010: true DISA_STIG_RHEL_09_271015: true DISA_STIG_RHEL_09_271020: true @@ -181,10 +193,11 @@ DISA_STIG_RHEL_09_411015: true DISA_STIG_RHEL_09_411035: true DISA_STIG_RHEL_09_411050: true DISA_STIG_RHEL_09_411065: true -DISA_STIG_RHEL_09_411070: true DISA_STIG_RHEL_09_411075: true +DISA_STIG_RHEL_09_411080: true DISA_STIG_RHEL_09_411090: true DISA_STIG_RHEL_09_411100: true +DISA_STIG_RHEL_09_411115: true DISA_STIG_RHEL_09_412035: true DISA_STIG_RHEL_09_412055: true DISA_STIG_RHEL_09_412065: true @@ -193,24 +206,25 @@ DISA_STIG_RHEL_09_431010: true DISA_STIG_RHEL_09_431015: true DISA_STIG_RHEL_09_432010: true DISA_STIG_RHEL_09_432015: true -DISA_STIG_RHEL_09_611010: true DISA_STIG_RHEL_09_611015: true DISA_STIG_RHEL_09_611020: true DISA_STIG_RHEL_09_611025: true DISA_STIG_RHEL_09_611030: true DISA_STIG_RHEL_09_611035: true +DISA_STIG_RHEL_09_611060: true DISA_STIG_RHEL_09_611075: true DISA_STIG_RHEL_09_611080: true DISA_STIG_RHEL_09_611090: true +DISA_STIG_RHEL_09_611105: true +DISA_STIG_RHEL_09_611115: true +DISA_STIG_RHEL_09_611125: true DISA_STIG_RHEL_09_611130: true +DISA_STIG_RHEL_09_611135: true DISA_STIG_RHEL_09_611140: true DISA_STIG_RHEL_09_611155: true DISA_STIG_RHEL_09_651010: true DISA_STIG_RHEL_09_651015: true DISA_STIG_RHEL_09_651025: true -DISA_STIG_RHEL_09_652010: true -DISA_STIG_RHEL_09_652020: true -DISA_STIG_RHEL_09_652025: true DISA_STIG_RHEL_09_653010: true DISA_STIG_RHEL_09_653015: true DISA_STIG_RHEL_09_653040: true @@ -249,16 +263,20 @@ account_password_pam_faillock_system_auth: true accounts_maximum_age_login_defs: true accounts_minimum_age_login_defs: true accounts_no_uid_except_zero: true +accounts_password_pam_dictcheck: true +accounts_password_pam_difok: true +accounts_password_pam_enforce_root: true +accounts_password_pam_maxrepeat: true accounts_password_pam_minclass: true accounts_password_pam_minlen: true accounts_password_pam_pwhistory_remember_password_auth: true accounts_password_pam_pwhistory_remember_system_auth: true -accounts_password_pam_retry: true accounts_password_set_max_life_existing: true accounts_password_set_min_life_existing: true accounts_password_set_warn_age_existing: true accounts_password_warn_age_login_defs: true accounts_passwords_pam_faillock_deny: true +accounts_passwords_pam_faillock_deny_root: true accounts_passwords_pam_faillock_unlock_time: true accounts_root_path_dirs_no_write: true accounts_set_post_pw_existing: true @@ -266,6 +284,9 @@ accounts_tmout: true accounts_umask_etc_bashrc: true accounts_umask_etc_login_defs: true accounts_umask_etc_profile: true +accounts_user_dot_group_ownership: true +accounts_user_dot_no_world_writable_programs: true +accounts_user_dot_user_ownership: true accounts_user_interactive_home_directory_exists: true aide_build_database: true aide_check_audit_tools: true @@ -312,7 +333,6 @@ audit_rules_sysadmin_actions: true audit_rules_time_adjtimex: true audit_rules_time_clock_settime: true audit_rules_time_settimeofday: true -audit_rules_time_stime: true audit_rules_time_watch_localtime: true audit_rules_unsuccessful_file_modification_creat: true audit_rules_unsuccessful_file_modification_ftruncate: true @@ -325,6 +345,8 @@ audit_rules_usergroup_modification_opasswd: true audit_rules_usergroup_modification_passwd: true audit_rules_usergroup_modification_shadow: true audit_sudo_log_events: true +auditd_data_disk_error_action: true +auditd_data_disk_full_action: true auditd_data_retention_action_mail_acct: true auditd_data_retention_admin_space_left_action: true auditd_data_retention_max_log_file: true @@ -333,6 +355,7 @@ auditd_data_retention_space_left_action: true banner_etc_issue: true banner_etc_issue_net: true banner_etc_motd: true +chronyd_run_as_chrony_user: true chronyd_specify_remote_server: true configure_crypto_policy: true configure_ssh_crypto_policy: true @@ -379,12 +402,12 @@ file_groupowner_etc_issue_net: true file_groupowner_etc_motd: true file_groupowner_etc_passwd: true file_groupowner_etc_shadow: true +file_groupowner_etc_shells: true file_groupowner_grub2_cfg: true file_groupowner_sshd_config: true file_groupowner_user_cfg: true file_groupownership_audit_binaries: true file_groupownership_audit_configuration: true -file_groupownership_home_directories: true file_groupownership_sshd_private_key: true file_groupownership_sshd_pub_key: true file_owner_backup_etc_group: true @@ -405,6 +428,7 @@ file_owner_etc_issue_net: true file_owner_etc_motd: true file_owner_etc_passwd: true file_owner_etc_shadow: true +file_owner_etc_shells: true file_owner_grub2_cfg: true file_owner_sshd_config: true file_owner_user_cfg: true @@ -412,6 +436,7 @@ file_ownership_audit_binaries: true file_ownership_audit_configuration: true file_ownership_sshd_private_key: true file_ownership_sshd_pub_key: true +file_permission_user_init_files: true file_permissions_at_allow: true file_permissions_audit_binaries: true file_permissions_audit_configuration: true @@ -433,6 +458,7 @@ file_permissions_etc_issue_net: true file_permissions_etc_motd: true file_permissions_etc_passwd: true file_permissions_etc_shadow: true +file_permissions_etc_shells: true file_permissions_grub2_cfg: true file_permissions_home_directories: true file_permissions_sshd_config: true @@ -449,8 +475,15 @@ grub2_enable_selinux: true high_disruption: true high_severity: true journald_compress: true -journald_forward_to_syslog: true journald_storage: true +kernel_module_cramfs_disabled: true +kernel_module_dccp_disabled: true +kernel_module_freevxfs_disabled: true +kernel_module_hfs_disabled: true +kernel_module_hfsplus_disabled: true +kernel_module_jffs2_disabled: true +kernel_module_rds_disabled: true +kernel_module_sctp_disabled: true kernel_module_squashfs_disabled: true kernel_module_tipc_disabled: true kernel_module_udf_disabled: true @@ -487,9 +520,8 @@ no_rsh_trust_files: true no_shelllogin_for_systemaccounts: true package_aide_installed: true package_audit_installed: true -package_avahi_removed: true +package_audit_libs_installed: true package_bind_removed: true -package_cups_removed: true package_cyrus_imapd_removed: true package_dhcp_removed: true package_dnsmasq_removed: true @@ -504,46 +536,50 @@ package_net_snmp_removed: true package_nftables_installed: true package_nginx_removed: true package_openldap_clients_removed: true +package_pam_pwquality_installed: true package_rsync_removed: true -package_rsyslog_installed: true package_samba_removed: true package_setroubleshoot_removed: true package_squid_removed: true package_sudo_installed: true +package_systemd_journal_remote_installed: true package_telnet_removed: true package_telnet_server_removed: true package_tftp_removed: true package_tftp_server_removed: true package_vsftpd_removed: true +package_xinetd_removed: true package_xorg_x11_server_common_removed: true +package_ypbind_removed: true +package_ypserv_removed: true postfix_network_listening_disabled: true reboot_required: true restrict_strategy: true -rsyslog_filecreatemode: true rsyslog_files_groupownership: true rsyslog_files_ownership: true rsyslog_files_permissions: true -rsyslog_nolisten: true selinux_not_disabled: true selinux_policytype: true selinux_state: true service_auditd_enabled: true +service_autofs_disabled: true +service_avahi_daemon_disabled: true +service_bluetooth_disabled: true service_crond_enabled: true +service_cups_disabled: true service_firewalld_enabled: true service_nfs_disabled: true service_nftables_disabled: true service_rpcbind_disabled: true -service_rsyslog_enabled: true service_systemd_journald_enabled: true -set_nftables_table: true +set_password_hashing_algorithm_libuserconf: true set_password_hashing_algorithm_logindefs: true set_password_hashing_algorithm_passwordauth: true set_password_hashing_algorithm_systemauth: true sshd_disable_empty_passwords: true +sshd_disable_gssapi_auth: true sshd_disable_rhosts: true sshd_disable_root_login: true -sshd_disable_tcp_forwarding: true -sshd_disable_x11_forwarding: true sshd_do_not_permit_user_env: true sshd_enable_pam: true sshd_enable_warning_banner_net: true @@ -554,11 +590,14 @@ sshd_set_loglevel_verbose: true sshd_set_max_auth_tries: true sshd_set_max_sessions: true sshd_set_maxstartups: true +sshd_use_strong_kex: true +sshd_use_strong_macs: true sudo_add_use_pty: true sudo_custom_logfile: true sudo_require_authentication: true sudo_require_reauthentication: true sysctl_kernel_randomize_va_space: true +sysctl_kernel_yama_ptrace_scope: true sysctl_net_ipv4_conf_all_accept_redirects: true sysctl_net_ipv4_conf_all_accept_source_route: true sysctl_net_ipv4_conf_all_log_martians: true @@ -586,3 +625,4 @@ unknown_severity: true unknown_strategy: true use_pam_wheel_group_for_su: true wireless_disable_interfaces: true +xwindows_runlevel_target: true