-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.yml
More file actions
476 lines (476 loc) · 16.2 KB
/
main.yml
File metadata and controls
476 lines (476 loc) · 16.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
---
# defaults file for rhel9_cis_workstation_l1
inactivity_timeout_value: '900'
var_screensaver_lock_delay: '5'
var_sudo_logfile: /var/log/sudo.log
var_sudo_timestamp_timeout: '15'
var_authselect_profile: sssd
cis_banner_text: Authorized users only. All activity may be monitored and reported.
login_banner_text: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
var_password_pam_remember: '24'
var_password_pam_remember_control_flag: requisite,required
var_accounts_passwords_pam_faillock_deny: '5'
var_accounts_passwords_pam_faillock_unlock_time: '900'
var_password_pam_dictcheck: '1'
var_password_pam_difok: '2'
var_password_pam_maxrepeat: '3'
var_password_pam_maxsequence: '3'
var_password_pam_minclass: '4'
var_password_pam_minlen: '14'
var_password_hashing_algorithm_pam: sha512
var_password_hashing_algorithm: SHA512
var_account_disable_post_pw_expiration: '45'
var_accounts_maximum_age_login_defs: '365'
var_accounts_password_warn_age_login_defs: '7'
var_pam_wheel_group_for_su: sugroup
var_accounts_tmout: '900'
var_user_initialization_files_regex: ^\.[\w\- ]+$
var_accounts_user_umask: '027'
sysctl_net_ipv6_conf_all_accept_ra_value: '0'
sysctl_net_ipv6_conf_all_accept_redirects_value: '0'
sysctl_net_ipv6_conf_all_accept_source_route_value: '0'
sysctl_net_ipv6_conf_all_forwarding_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_value: '0'
sysctl_net_ipv6_conf_default_accept_redirects_value: '0'
sysctl_net_ipv6_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_accept_redirects_value: '0'
sysctl_net_ipv4_conf_all_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_log_martians_value: '1'
sysctl_net_ipv4_conf_all_rp_filter_value: '1'
sysctl_net_ipv4_conf_all_secure_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_default_log_martians_value: '1'
sysctl_net_ipv4_conf_default_rp_filter_value: '1'
sysctl_net_ipv4_conf_default_secure_redirects_value: '0'
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
sysctl_net_ipv4_tcp_syncookies_value: '1'
var_selinux_policy_name: targeted
var_postfix_inet_interfaces: loopback-only
var_multiple_time_servers: 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org
var_sshd_set_keepalive: '1'
sshd_idle_timeout_value: '300'
var_sshd_set_login_grace_time: '60'
sshd_max_auth_tries_value: '4'
var_sshd_max_sessions: '10'
var_sshd_set_maxstartups: 10:30:60
DISA_STIG_RHEL_09_171011: true
DISA_STIG_RHEL_09_211040: true
DISA_STIG_RHEL_09_212025: true
DISA_STIG_RHEL_09_212030: true
DISA_STIG_RHEL_09_213070: true
DISA_STIG_RHEL_09_213080: true
DISA_STIG_RHEL_09_213085: true
DISA_STIG_RHEL_09_213090: true
DISA_STIG_RHEL_09_214015: true
DISA_STIG_RHEL_09_214025: true
DISA_STIG_RHEL_09_215015: true
DISA_STIG_RHEL_09_215040: true
DISA_STIG_RHEL_09_215060: true
DISA_STIG_RHEL_09_231045: true
DISA_STIG_RHEL_09_231050: true
DISA_STIG_RHEL_09_231110: true
DISA_STIG_RHEL_09_231115: true
DISA_STIG_RHEL_09_231120: true
DISA_STIG_RHEL_09_231125: true
DISA_STIG_RHEL_09_231130: true
DISA_STIG_RHEL_09_231135: true
DISA_STIG_RHEL_09_231140: true
DISA_STIG_RHEL_09_231145: true
DISA_STIG_RHEL_09_231150: true
DISA_STIG_RHEL_09_231155: true
DISA_STIG_RHEL_09_231160: true
DISA_STIG_RHEL_09_231165: true
DISA_STIG_RHEL_09_231170: true
DISA_STIG_RHEL_09_231175: true
DISA_STIG_RHEL_09_231180: true
DISA_STIG_RHEL_09_231185: true
DISA_STIG_RHEL_09_231195: true
DISA_STIG_RHEL_09_232040: true
DISA_STIG_RHEL_09_232050: true
DISA_STIG_RHEL_09_232055: true
DISA_STIG_RHEL_09_232060: true
DISA_STIG_RHEL_09_232065: true
DISA_STIG_RHEL_09_232070: true
DISA_STIG_RHEL_09_232075: true
DISA_STIG_RHEL_09_232080: true
DISA_STIG_RHEL_09_232085: true
DISA_STIG_RHEL_09_232090: true
DISA_STIG_RHEL_09_232095: true
DISA_STIG_RHEL_09_232100: true
DISA_STIG_RHEL_09_232105: true
DISA_STIG_RHEL_09_232110: true
DISA_STIG_RHEL_09_232115: true
DISA_STIG_RHEL_09_232120: true
DISA_STIG_RHEL_09_232125: true
DISA_STIG_RHEL_09_232130: true
DISA_STIG_RHEL_09_232135: true
DISA_STIG_RHEL_09_232140: true
DISA_STIG_RHEL_09_232145: true
DISA_STIG_RHEL_09_232150: true
DISA_STIG_RHEL_09_232155: true
DISA_STIG_RHEL_09_232160: true
DISA_STIG_RHEL_09_232165: true
DISA_STIG_RHEL_09_232230: true
DISA_STIG_RHEL_09_232235: true
DISA_STIG_RHEL_09_232245: true
DISA_STIG_RHEL_09_232270: true
DISA_STIG_RHEL_09_251010: true
DISA_STIG_RHEL_09_251015: true
DISA_STIG_RHEL_09_252010: true
DISA_STIG_RHEL_09_252020: true
DISA_STIG_RHEL_09_253010: true
DISA_STIG_RHEL_09_253015: true
DISA_STIG_RHEL_09_253020: true
DISA_STIG_RHEL_09_253025: true
DISA_STIG_RHEL_09_253030: true
DISA_STIG_RHEL_09_253035: true
DISA_STIG_RHEL_09_253040: true
DISA_STIG_RHEL_09_253045: true
DISA_STIG_RHEL_09_253050: true
DISA_STIG_RHEL_09_253055: true
DISA_STIG_RHEL_09_253060: true
DISA_STIG_RHEL_09_253065: true
DISA_STIG_RHEL_09_253070: true
DISA_STIG_RHEL_09_254010: true
DISA_STIG_RHEL_09_254015: true
DISA_STIG_RHEL_09_254020: true
DISA_STIG_RHEL_09_254025: true
DISA_STIG_RHEL_09_254030: true
DISA_STIG_RHEL_09_254035: true
DISA_STIG_RHEL_09_254040: true
DISA_STIG_RHEL_09_255030: true
DISA_STIG_RHEL_09_255040: true
DISA_STIG_RHEL_09_255045: true
DISA_STIG_RHEL_09_255050: true
DISA_STIG_RHEL_09_255080: true
DISA_STIG_RHEL_09_255085: true
DISA_STIG_RHEL_09_255095: true
DISA_STIG_RHEL_09_255100: true
DISA_STIG_RHEL_09_255105: true
DISA_STIG_RHEL_09_255110: true
DISA_STIG_RHEL_09_255115: true
DISA_STIG_RHEL_09_255120: true
DISA_STIG_RHEL_09_255125: true
DISA_STIG_RHEL_09_255135: true
DISA_STIG_RHEL_09_255145: true
DISA_STIG_RHEL_09_271010: true
DISA_STIG_RHEL_09_271015: true
DISA_STIG_RHEL_09_271030: true
DISA_STIG_RHEL_09_271035: true
DISA_STIG_RHEL_09_271065: true
DISA_STIG_RHEL_09_271070: true
DISA_STIG_RHEL_09_271075: true
DISA_STIG_RHEL_09_271080: true
DISA_STIG_RHEL_09_271090: true
DISA_STIG_RHEL_09_271115: true
DISA_STIG_RHEL_09_411010: true
DISA_STIG_RHEL_09_411015: true
DISA_STIG_RHEL_09_411035: true
DISA_STIG_RHEL_09_411050: true
DISA_STIG_RHEL_09_411065: true
DISA_STIG_RHEL_09_411075: true
DISA_STIG_RHEL_09_411090: true
DISA_STIG_RHEL_09_411100: true
DISA_STIG_RHEL_09_412035: true
DISA_STIG_RHEL_09_412055: true
DISA_STIG_RHEL_09_412065: true
DISA_STIG_RHEL_09_412070: true
DISA_STIG_RHEL_09_431015: true
DISA_STIG_RHEL_09_432010: true
DISA_STIG_RHEL_09_432015: true
DISA_STIG_RHEL_09_432025: true
DISA_STIG_RHEL_09_611025: true
DISA_STIG_RHEL_09_611030: true
DISA_STIG_RHEL_09_611035: true
DISA_STIG_RHEL_09_611060: true
DISA_STIG_RHEL_09_611090: true
DISA_STIG_RHEL_09_611105: true
DISA_STIG_RHEL_09_611115: true
DISA_STIG_RHEL_09_611125: true
DISA_STIG_RHEL_09_611130: true
DISA_STIG_RHEL_09_611135: true
DISA_STIG_RHEL_09_611140: true
DISA_STIG_RHEL_09_611155: true
DISA_STIG_RHEL_09_651010: true
DISA_STIG_RHEL_09_651025: true
DISA_STIG_RHEL_09_671025: true
DISA_STIG_needed_rules: true
account_disable_post_pw_expiration: true
account_password_pam_faillock_password_auth: true
account_password_pam_faillock_system_auth: true
accounts_maximum_age_login_defs: true
accounts_no_uid_except_zero: true
accounts_password_pam_dictcheck: true
accounts_password_pam_difok: true
accounts_password_pam_enforce_root: true
accounts_password_pam_maxrepeat: true
accounts_password_pam_maxsequence: true
accounts_password_pam_minclass: true
accounts_password_pam_minlen: true
accounts_password_pam_modules_in_authselect_profile: true
accounts_password_pam_pwhistory_enforce_for_root: true
accounts_password_pam_pwhistory_remember_password_auth: true
accounts_password_pam_pwhistory_remember_system_auth: true
accounts_password_pam_unix_no_remember: true
accounts_password_set_max_life_existing: true
accounts_password_set_warn_age_existing: true
accounts_password_warn_age_login_defs: true
accounts_passwords_pam_faillock_deny: true
accounts_passwords_pam_faillock_unlock_time: true
accounts_root_path_dirs_no_write: true
accounts_set_post_pw_existing: true
accounts_tmout: true
accounts_umask_etc_bashrc: true
accounts_umask_etc_login_defs: true
accounts_umask_etc_profile: true
accounts_user_dot_group_ownership: true
accounts_user_dot_user_ownership: true
accounts_user_interactive_home_directory_exists: true
aide_build_database: true
aide_check_audit_tools: true
aide_periodic_cron_checking: true
banner_etc_issue_cis: true
banner_etc_issue_net_cis: true
banner_etc_motd_cis: true
chronyd_run_as_chrony_user: true
chronyd_specify_remote_server: true
configure_custom_crypto_policy_cis: true
configure_strategy: true
coredump_disable_backtraces: true
coredump_disable_storage: true
dconf_db_up_to_date: true
dconf_gnome_banner_enabled: true
dconf_gnome_disable_autorun: true
dconf_gnome_disable_user_list: true
dconf_gnome_login_banner_text: true
dconf_gnome_screensaver_idle_delay: true
dconf_gnome_screensaver_lock_delay: true
dconf_gnome_screensaver_user_locks: true
dconf_gnome_session_idle_user_locks: true
dir_perms_world_writable_sticky_bits: true
disable_host_auth: true
disable_strategy: true
enable_authselect: true
enable_strategy: true
ensure_gpgcheck_globally_activated: true
ensure_gpgcheck_never_disabled: true
ensure_pam_wheel_group_empty: true
file_at_allow_exists: true
file_at_deny_not_exist: true
file_cron_allow_exists: true
file_cron_deny_not_exist: true
file_etc_security_opasswd: true
file_groupowner_at_allow: true
file_groupowner_backup_etc_group: true
file_groupowner_backup_etc_gshadow: true
file_groupowner_backup_etc_passwd: true
file_groupowner_backup_etc_shadow: true
file_groupowner_cron_allow: true
file_groupowner_cron_d: true
file_groupowner_cron_daily: true
file_groupowner_cron_hourly: true
file_groupowner_cron_monthly: true
file_groupowner_cron_weekly: true
file_groupowner_crontab: true
file_groupowner_etc_group: true
file_groupowner_etc_gshadow: true
file_groupowner_etc_issue: true
file_groupowner_etc_issue_net: true
file_groupowner_etc_motd: true
file_groupowner_etc_passwd: true
file_groupowner_etc_shadow: true
file_groupowner_etc_shells: true
file_groupowner_grub2_cfg: true
file_groupowner_sshd_config: true
file_groupowner_user_cfg: true
file_groupownership_sshd_private_key: true
file_groupownership_sshd_pub_key: true
file_owner_backup_etc_group: true
file_owner_backup_etc_gshadow: true
file_owner_backup_etc_passwd: true
file_owner_backup_etc_shadow: true
file_owner_cron_allow: true
file_owner_cron_d: true
file_owner_cron_daily: true
file_owner_cron_hourly: true
file_owner_cron_monthly: true
file_owner_cron_weekly: true
file_owner_crontab: true
file_owner_etc_group: true
file_owner_etc_gshadow: true
file_owner_etc_issue: true
file_owner_etc_issue_net: true
file_owner_etc_motd: true
file_owner_etc_passwd: true
file_owner_etc_shadow: true
file_owner_etc_shells: true
file_owner_grub2_cfg: true
file_owner_sshd_config: true
file_owner_user_cfg: true
file_ownership_sshd_private_key: true
file_ownership_sshd_pub_key: true
file_permission_user_init_files: true
file_permissions_at_allow: true
file_permissions_backup_etc_group: true
file_permissions_backup_etc_gshadow: true
file_permissions_backup_etc_passwd: true
file_permissions_backup_etc_shadow: true
file_permissions_cron_allow: true
file_permissions_cron_d: true
file_permissions_cron_daily: true
file_permissions_cron_hourly: true
file_permissions_cron_monthly: true
file_permissions_cron_weekly: true
file_permissions_crontab: true
file_permissions_etc_group: true
file_permissions_etc_gshadow: true
file_permissions_etc_issue: true
file_permissions_etc_issue_net: true
file_permissions_etc_motd: true
file_permissions_etc_passwd: true
file_permissions_etc_shadow: true
file_permissions_etc_shells: true
file_permissions_grub2_cfg: true
file_permissions_home_directories: true
file_permissions_sshd_config: true
file_permissions_sshd_private_key: true
file_permissions_sshd_pub_key: true
file_permissions_user_cfg: true
firewalld_loopback_traffic_restricted: true
firewalld_loopback_traffic_trusted: true
gnome_gdm_disable_xdmcp: true
grub2_enable_selinux: true
high_disruption: true
high_severity: true
journald_compress: true
journald_storage: true
kernel_module_cramfs_disabled: true
kernel_module_freevxfs_disabled: true
kernel_module_hfs_disabled: true
kernel_module_hfsplus_disabled: true
kernel_module_jffs2_disabled: true
low_complexity: true
low_disruption: true
low_severity: true
medium_disruption: true
medium_severity: true
mount_option_dev_shm_nodev: true
mount_option_dev_shm_noexec: true
mount_option_dev_shm_nosuid: true
mount_option_home_nodev: true
mount_option_home_nosuid: true
mount_option_tmp_nodev: true
mount_option_tmp_noexec: true
mount_option_tmp_nosuid: true
mount_option_var_log_audit_nodev: true
mount_option_var_log_audit_noexec: true
mount_option_var_log_audit_nosuid: true
mount_option_var_log_nodev: true
mount_option_var_log_noexec: true
mount_option_var_log_nosuid: true
mount_option_var_nodev: true
mount_option_var_nosuid: true
mount_option_var_tmp_nodev: true
mount_option_var_tmp_noexec: true
mount_option_var_tmp_nosuid: true
no_empty_passwords: true
no_empty_passwords_etc_shadow: true
no_password_auth_for_systemaccounts: true
no_reboot_needed: true
no_rsh_trust_files: true
no_shelllogin_for_systemaccounts: true
package_aide_installed: true
package_bind_removed: true
package_chrony_installed: true
package_cron_installed: true
package_cyrus_imapd_removed: true
package_dhcp_removed: true
package_dovecot_removed: true
package_firewalld_installed: true
package_ftp_removed: true
package_httpd_removed: true
package_libselinux_installed: true
package_mcstrans_removed: true
package_net_snmp_removed: true
package_nftables_installed: true
package_nginx_removed: true
package_pam_pwquality_installed: true
package_rsync_removed: true
package_samba_removed: true
package_squid_removed: true
package_sudo_installed: true
package_systemd_journal_remote_installed: true
package_telnet_removed: true
package_telnet_server_removed: true
package_tftp_removed: true
package_tftp_server_removed: true
package_vsftpd_removed: true
postfix_network_listening_disabled: true
reboot_required: true
restrict_strategy: true
rsyslog_files_groupownership: true
rsyslog_files_ownership: true
rsyslog_files_permissions: true
selinux_not_disabled: true
selinux_policytype: true
service_crond_enabled: true
service_dnsmasq_disabled: true
service_firewalld_enabled: true
service_nfs_disabled: true
service_nftables_disabled: true
service_rpcbind_disabled: true
service_systemd_journald_enabled: true
set_password_hashing_algorithm_libuserconf: true
set_password_hashing_algorithm_logindefs: true
set_password_hashing_algorithm_passwordauth: true
set_password_hashing_algorithm_systemauth: true
special_service_block: true
sshd_disable_empty_passwords: true
sshd_disable_forwarding: true
sshd_disable_gssapi_auth: true
sshd_disable_rhosts: true
sshd_disable_root_login: true
sshd_do_not_permit_user_env: true
sshd_enable_pam: true
sshd_enable_warning_banner_net: true
sshd_set_idle_timeout: true
sshd_set_keepalive: true
sshd_set_login_grace_time: true
sshd_set_loglevel_verbose: true
sshd_set_max_auth_tries: true
sshd_set_max_sessions: true
sshd_set_maxstartups: true
sudo_add_use_pty: true
sudo_custom_logfile: true
sudo_remove_no_authenticate: true
sudo_require_reauthentication: true
sysctl_kernel_randomize_va_space: true
sysctl_kernel_yama_ptrace_scope: true
sysctl_net_ipv4_conf_all_accept_redirects: true
sysctl_net_ipv4_conf_all_accept_source_route: true
sysctl_net_ipv4_conf_all_log_martians: true
sysctl_net_ipv4_conf_all_rp_filter: true
sysctl_net_ipv4_conf_all_secure_redirects: true
sysctl_net_ipv4_conf_all_send_redirects: true
sysctl_net_ipv4_conf_default_accept_redirects: true
sysctl_net_ipv4_conf_default_accept_source_route: true
sysctl_net_ipv4_conf_default_log_martians: true
sysctl_net_ipv4_conf_default_rp_filter: true
sysctl_net_ipv4_conf_default_secure_redirects: true
sysctl_net_ipv4_conf_default_send_redirects: true
sysctl_net_ipv4_icmp_echo_ignore_broadcasts: true
sysctl_net_ipv4_icmp_ignore_bogus_error_responses: true
sysctl_net_ipv4_ip_forward: true
sysctl_net_ipv4_tcp_syncookies: true
sysctl_net_ipv6_conf_all_accept_ra: true
sysctl_net_ipv6_conf_all_accept_redirects: true
sysctl_net_ipv6_conf_all_accept_source_route: true
sysctl_net_ipv6_conf_all_forwarding: true
sysctl_net_ipv6_conf_default_accept_ra: true
sysctl_net_ipv6_conf_default_accept_redirects: true
sysctl_net_ipv6_conf_default_accept_source_route: true
unknown_severity: true
unknown_strategy: true
use_pam_wheel_group_for_su: true