diff --git a/defaults/main.yml b/defaults/main.yml index 3fe96c19..c515d690 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,10 @@ system_is_ec2: false # Supported OSs will not need for this to be changed - see README e.g. CentOS os_check: true +## Switching on/off specific baseline sections +# These variables govern whether the tasks of a particular section are to be executed when running the role. +# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. +# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -22,6 +26,7 @@ rhel9cis_section6: true # e.g. # - level1-server # - level2-workstation +# Used for audit rhel9cis_level_1: true rhel9cis_level_2: true @@ -39,7 +44,8 @@ benchmark_version: 'v1.0.0' benchmark: RHEL9-CIS -# Whether to skip the reboot +# Whether to skip the system reboot before audit +# System will reboot if false, can give better audit results skip_reboot: true # default value will change to true but wont reboot if not enabled but will error @@ -48,21 +54,39 @@ change_requires_reboot: false #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### -### Goss is required on the remote host +## Audit setup +# Audits are carried out using Goss. This variable +# determines whether execution of the role prepares for auditing +# by installing the required binary. setup_audit: false -# How to retrive goss +## How to retrive goss # Options are copy or download - detailed settings at the bottom of this file +# provided in variable `audit_conf_copy` for copying or +# the url given in variable `audit_files_url` for downloading. # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download -# how to get audit files onto host options +## How to retrieve the audit role +# The role for auditing is maintained separately. +# This variable specifies the method of how to get the audit role # options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) +# onto the system. The options are as follows: +# - git: clone from git repository as specified in variable `audit_file_git` in +# the version specified by variable `audit_git_version` +# - copy: copy from path as specified in variable `audit_conf_copy` +# - get_url: Download from url as specified in variable `audit_files_url` audit_content: git -# enable audits to run - this runs the audit and get the latest content +## Enable audits to run +# This variable governs whether the audit using the +# separately maintained audit role using Goss +# is carried out. run_audit: false # Timeout for those cmds that take longer to run where timeout set +# This variable specifies the timeout (in ms) for audit commands that +# take a very long time: if a command takes too long to complete, +# it will be forcefully terminated after the specified duration. audit_cmd_timeout: 60000 ### End Goss enablements #### @@ -72,7 +96,9 @@ audit_cmd_timeout: 60000 # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. -# Section 1 rules + +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_2_1: true @@ -145,7 +171,7 @@ rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -# Section 2 rules +# Section 2 rules are controling Services (Special Purpose Services, and service clients) rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_2_1: true @@ -173,6 +199,7 @@ rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true # Section 3 rules +# Network Configuration rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true @@ -197,7 +224,8 @@ rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true -# Section 4 rules +# Section 4 rules are Logging and Auditing (Configure System Accounting (auditd), +# Configure Data Retention, and Configure Logging) rhel9cis_rule_4_1_1_1: true rhel9cis_rule_4_1_1_2: true rhel9cis_rule_4_1_1_3: true @@ -256,7 +284,8 @@ rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true rhel9cis_rule_4_3: true -# Section 5 rules +# Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers, +# Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment) rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_2: true rhel9cis_rule_5_1_3: true @@ -311,7 +340,8 @@ rhel9cis_rule_5_6_4: true rhel9cis_rule_5_6_5: true rhel9cis_rule_5_6_6: true -# Section 6 rules +# Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings) +rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true @@ -377,10 +407,18 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4 rhel9cis_bootloader_password: random # pragma: allowlist secret rhel9cis_set_boot_pass: true -# 1.8 Gnome Desktop + +## Controls 1.8.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) +# The default database is `local` rhel9cis_dconf_db_name: local -rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) -rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) +# This variable governs the number of seconds of inactivity before the screen goes blank. +# Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_idle_delay: 900 +# This variable governs the number of seconds the screen remains blank before it is locked. +# Set max value for lock-delay in seconds (between 0 and 5) +rhel9cis_screensaver_lock_delay: 5 # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) # Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS. @@ -389,27 +427,67 @@ rhel9cis_crypto_policy: 'DEFAULT' rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages are skipped. rhel9cis_is_router: false -# IPv6 required +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true -# AIDE +## Control 1.3.1 - allow aide to be configured +# AIDE is a file integrity checking tool, similar in nature to Tripwire. +# While it cannot prevent intrusions, it can detect unauthorized changes +# to configuration files by alerting when the files are changed. Review +# the AIDE quick start guide and AIDE documentation before proceeding. +# By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true -# AIDE cron settings + +## Control 1.3.2 AIDE cron settings +# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. +# The sub-settings of this variable provide the parameters required to configure +# the cron job on the target system. +# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled +# and executed automatically at a certain point in time. rhel9cis_aide_cron: + # This variable represents the user account under which the cron job for AIDE will run. cron_user: root + # This variable represents the path to the AIDE crontab file. cron_file: /etc/cron.d/aide_cron + # This variable represents the actual command or script that the cron job + # will execute for running AIDE. aide_job: '/usr/sbin/aide --check' + # These variables define the schedule for the cron job + # This variable governs the minute of the time of day when the AIDE cronjob is run. + # It must be in the range `0-59`. aide_minute: 0 + # This variable governs the hour of the time of day when the AIDE cronjob is run. + # It must be in the range `0-23`. aide_hour: 5 + # This variable governs the day of the month when the AIDE cronjob is run. + # `*` signifies that the job is run on all days; furthermore, specific days + # can be given in the range `1-31`; several days can be concatenated with a comma. + # The specified day(s) can must be in the range `1-31`. aide_day: '*' - aide_month: '*' + # This variable governs months when the AIDE cronjob is run. + # `*` signifies that the job is run in every month; furthermore, specific months + # can be given in the range `1-12`; several months can be concatenated with commas. + # The specified month(s) can must be in the range `1-12`. + aide_month: '*' + # This variable governs the weekdays, when the AIDE cronjob is run. + # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays + # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays + # can be concatenated with commas. aide_weekday: '*' # SELinux policy +# This selects type of policy; targeted or mls ( multilevel ) +# mls should not be used, since it will disable unconfined policy module +# and may prevent some services from running. rhel9cis_selinux_pol: targeted # chose onf or enfocing or permissive +# CIS expects enforcing since permissive allows operations thet might compromise the system. +# Even though logging still occurs. rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment @@ -418,6 +496,11 @@ rhel9cis_selinux_enforce: enforcing ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +# The following variable represents a list of of time servers used +# for configuring chrony, timesyncd, and ntp. +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation +# of the time synchronization mechanism you are using. rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org @@ -426,7 +509,9 @@ rhel9cis_time_synchronization_servers: rhel9cis_chrony_server_options: "minpoll 8" ### 2.2 Special Purposes -##### Service configuration booleans set true to keep service +# Service configuration variables (boolean). +# Set the respective variable to true to keep the service. +# otherwise the service is stopped and disabled rhel9cis_gui: false rhel9cis_avahi_server: false rhel9cis_cups_server: false @@ -444,10 +529,12 @@ rhel9cis_squid_server: false rhel9cis_snmp_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false -# Note the options -# Packages are used for client services and Server- only remove if you dont use the client service -# +# Note the options +# Client package configuration variables. +# Packages are used for client services and Server, only remove if you dont use the client service +# Set the respective variable to `true` to keep the +# client package, otherwise it is uninstalled (false). rhel9cis_use_nfs_server: false rhel9cis_use_nfs_service: false @@ -463,8 +550,7 @@ rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false rhel9cis_ftp_client: false -## Section3 vars -## Sysctl +## Section 3 vars for Sysctl rhel9cis_sysctl_update: false rhel9cis_flush_ipv4_route: false rhel9cis_flush_ipv6_route: false @@ -484,7 +570,11 @@ rhel9cis_firewalld_ports: - number: 80 protocol: tcp -#### nftables +## Controls 3.5.2.x - nftables +# The default nftables table name is "filter". This variable name will be the one all +# "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. +# nftables configs are applied to. +# options are: inet filter rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true @@ -496,23 +586,60 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and ## Section4 vars ### 4.1 Configure System Accounting #### 4.1.2 Configure Data Retention +## Controls what actions, when log files fill up +# This variable controls how the audit system behaves when +# log files are getting too full and space is getting too low. rhel9cis_auditd: space_left_action: email action_mail_acct: root + # This variable determines the action the audit system should take when disk + # space runs low. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when presented with the aforementioned issue; + # - `syslog`: a message is sent to the system log about disk space running low; + # - `suspend`: the system suspends recording audit events until more space is available; + # - `halt`: the system is halted when disk space is critically low. + # - `single`: the audit daemon will put the computer system in single user mode + # CIS prescribes either `halt` or `single`. admin_space_left_action: halt + # This variable determines what action the audit system should take when the maximum + # size of a log file is reached. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when the size of a log file is full; + # - `syslog`: a message is sent to the system log indicating the problem; + # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; + # - `rotate`: the log file is rotated (archived) and a new empty log file is created; + # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. + # CIS prescribes the value `keep_logs`. max_log_file_action: keep_logs -# The audit_back_log_limit value should never be below 8192 +## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient +# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. rhel9cis_audit_back_log_limit: 8192 -# The max_log_file parameter should be based on your sites policy +## Control 4.1.2.1 - Ensure audit log storage size is configured +# This variable specifies the maximum size in MB that an audit log file can reach +# before it is archived or deleted to make space for the new audit data. +# This should be set based on your sites policy. CIS does not provide a specific value. rhel9cis_max_log_file_size: 10 -### 4.1.3.x audit template +## 4.1.3.x - Audit template +# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the +# audit settings are overwritten with the role's template. In order to exclude +# specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above +# to `false`. update_audit_template: false ## Advanced option found in auditd post +# users whose actions are not logged by auditd rhel9cis_allow_auditd_uid_user_exclusions: false +# add a list of uids to be excluded. +rhel9cis_auditd_uid_exclude: + - 1999 # This can be used to configure other keys in auditd.conf rhel9cis_auditd_extra_conf: {} @@ -528,35 +655,63 @@ rhel9cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: false -rhel9cis_remote_log_host: logagg.example.com +rhel9cis_remote_log_host: 192.168.2.100 rhel9cis_remote_log_port: 514 rhel9cis_remote_log_protocol: tcp rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 +# This variable expresses whether the system is used as a log server or not. +# If set to `true`, controls that interfere with log server functionality or +# require that own system logs be sent to some other log server are skipped. rhel9cis_system_is_log_server: false # 4.2.2.1.2 # rhel9cis_journal_upload_url is the ip address to upload the journal entries to rhel9cis_journal_upload_url: 192.168.50.42 -# The paths below have the default paths/files, but allow user to create custom paths/filenames + +## The paths below have the default paths/files, but allow user to create custom paths/filenames +# This variable specifies the path to the private key file used by the remote journal +# server to authenticate itself to the client. This key is used alongside the server's +# public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +# This variable specifies the path to the public certificate file of the remote journal +# server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +# This variable specifies the path to a file containing one or more public certificates +# of certificate authorities (CAs) that the client trusts. These trusted certificates are used +# to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" # 4.2.2.1 # The variables below related to journald, please set these to your site specific values +# These variable specifies how much disk space the journal may use up at most +# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. +# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. +# ATTENTION: Uncomment the keyword below when values are set! # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G +# rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. +# same as rhel9cis_journald_systemmaxuse. rhel9cis_journald_runtimemaxuse: 10M +# rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free +# same as rhel9cis_journald_systemkeepfree. rhel9cis_journald_runtimekeepfree: 100G -# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# rhel9cis_journald_MaxFileSec is how long in time to keep log files. +# This variable specifies, the maximum time to store entries in a single journal +# file before rotating to the next one. Set to 0 to turn off this feature. +# The given values is interpreted as seconds, unless suffixed with the units +# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. +# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month #### 4.3 +# This variable defines the log file rotation period. +# Options are: daily, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars @@ -565,20 +720,61 @@ rhel9cis_logrotate: "daily" rhel9_cis_sshd_config_file: /etc/ssh/sshd_config rhel9cis_sshd: - clientalivecountmax: 0 - clientaliveinterval: 900 + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. + clientalivecountmax: 3 + # This variable sets the time interval in seconds between sending "keep-alive" + # messages from the server to the client. These types of messages are intended to + # keep the connection alive and prevent it being terminated due to inactivity. + clientaliveinterval: 300 + # This variable specifies the amount of seconds allowed for successful authentication to + # the SSH server. logingracetime: 60 - # WARNING: make sure you understand the precedence when working with these values!! - # allowusers: - # allowgroups: systems dba - # denyusers: - # denygroups: - -# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH + # access for users whose user name matches one of the patterns. This is done + # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + allow_users: "" + # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, https://linux.die.net/man/5/sshd_config + allow_groups: wheel + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: nobody + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" + +# 5.2.5 SSH LogLevel setting. +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +# - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO # 5.2.19 SSH MaxSessions setting. Must be 4 our less rhel9cis_ssh_maxsessions: 4 +## Control 5.5.1.4 +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 30 days or less. rhel9cis_inactivelock: lock_days: 30 @@ -596,32 +792,65 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false +## Controls 5.5.1.x - Password settings rhel9cis_pass: + ## Control 5.5.1.2 + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. max_days: 365 + ## Control 5.5.1.1 + # This variable specifies the minimum number of days allowed between changing passwords. + # CIS requires a value of at least 1. min_days: 7 + ## Control 5.5.1.3 + # This variable governs, how many days before a password expires, the user will be warned. + # CIS requires a value of at least 7. warn_age: 7 # 5.5.1 ## PAM rhel9cis_pam_password: + # This variable sets the minimum chars a password needs to be set. minlen: 14 + # This variable set password complexity,the minimum number of + # character types that must be used (i.e., uppercase, lowercase, digits, other) + # Set to 2, passwords cannot have all lower/upper case. + # Set to 3, passwords needs numbers. + # set to 4, passwords will have to include all four types of characters. minclass: 4 rhel9cis_pam_faillock: + # This variable sets the amount of time a user will be unlocked after + # the max amount of password failures. unlock_time: 900 + # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 + # This variable represents the number of password change cycles, after which + # a user can re-use a password. + # CIS requires a value of 5 or more. remember: 5 # UID settings for interactive users # These are discovered via logins.def if set true discover_int_uid: false +# This variable sets the minimum number from which to search for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. min_int_uid: 1000 +# This variable sets the maximum number at which the search stops for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. max_int_uid: 65533 # 5.3.3 var log location variable +# This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" #### 5.3.6 +# This variable sets the duration (in minutes) during which a user's authentication credentials +# are cached after successfully authenticating using "sudo". This allows the user to execute +# multiple commands with elevated privileges without needing to re-enter their password for each +# command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 ### 5.4.2 authselect and faillock @@ -636,12 +865,24 @@ rhel9cis_5_4_2_risks: NEVER # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: + # This variable specifies the path of the timeout setting file. + # (TMOUT setting can be set in multiple files, but only one is required for the + # rule to pass. Options are: + # - a file in `/etc/profile.d/` ending in `.s`, + # - `/etc/profile`, or + # - `/etc/bash.bashrc`. file: /etc/profile.d/tmout.sh + # This variable represents the amount of seconds a command or process is allowed to + # run before being forcefully terminated. + # CIS requires a value of at most 900 seconds. timeout: 600 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel9cis_futurepwchgdate_autofix: true -# 5.3.7 +## 5.3.7 +# This variable determines the group of users that are allowed to use the su command. +# one to specify a user group that is allowed to use the "su" command. +# CIS requires that such a group be created (named according to site policy) and be kept empty. rhel9cis_sugroup: nosugroup ## Section6 vars @@ -654,7 +895,7 @@ rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" # 6.2.16 -## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj +## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and community for rhel8-cis reedbacj rhel_09_6_2_16_home_follow_symlinks: false #### Goss Configuration Settings ####