-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmain.yml
416 lines (416 loc) · 14.9 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
---
# defaults file for rhel9_anssi_bp28_high
var_aide_scan_notification_email: root@localhost
var_authselect_profile: minimal
var_password_pam_unix_remember: '2'
var_accounts_passwords_pam_faillock_deny: '3'
var_accounts_passwords_pam_faillock_fail_interval: '900'
var_accounts_passwords_pam_faillock_unlock_time: '900'
var_password_pam_dcredit: '-1'
var_password_pam_lcredit: '-1'
var_password_pam_minlen: '18'
var_password_pam_ocredit: '-1'
var_password_pam_ucredit: '-1'
var_accounts_maximum_age_login_defs: '90'
var_accounts_password_minlen_login_defs: '18'
var_password_pam_unix_rounds: '65536'
var_accounts_tmout: '600'
var_accounts_user_umask: '077'
var_accounts_passwords_pam_faillock_dir: /var/log/faillock
var_l1tf_options: full,force
var_mds_options: full,nosmt
var_rng_core_default_quality: '500'
var_spec_store_bypass_disable_options: seccomp
rsyslog_remote_loghost_address: logcollector
sysctl_net_ipv6_conf_all_accept_ra_defrtr_value: '0'
sysctl_net_ipv6_conf_all_accept_ra_pinfo_value: '0'
sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value: '0'
sysctl_net_ipv6_conf_all_accept_redirects_value: '0'
sysctl_net_ipv6_conf_all_accept_source_route_value: '0'
sysctl_net_ipv6_conf_all_autoconf_value: '0'
sysctl_net_ipv6_conf_all_max_addresses_value: '1'
sysctl_net_ipv6_conf_all_router_solicitations_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_defrtr_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_pinfo_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value: '0'
sysctl_net_ipv6_conf_default_accept_redirects_value: '0'
sysctl_net_ipv6_conf_default_accept_source_route_value: '0'
sysctl_net_ipv6_conf_default_autoconf_value: '0'
sysctl_net_ipv6_conf_default_max_addresses_value: '1'
sysctl_net_ipv6_conf_default_router_solicitations_value: '0'
sysctl_net_ipv4_conf_all_accept_redirects_value: '0'
sysctl_net_ipv4_conf_all_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_arp_filter_value: '0'
sysctl_net_ipv4_conf_all_arp_ignore_value: '2'
sysctl_net_ipv4_conf_all_rp_filter_value: '1'
sysctl_net_ipv4_conf_all_secure_redirects_value: '0'
sysctl_net_ipv4_conf_all_shared_media_value: '0'
sysctl_net_ipv4_conf_default_accept_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_default_rp_filter_value: '1'
sysctl_net_ipv4_conf_default_secure_redirects_value: '0'
sysctl_net_ipv4_conf_default_shared_media_value: '0'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
sysctl_net_ipv4_tcp_rfc1337_value: '1'
sysctl_net_ipv4_tcp_syncookies_value: '1'
sysctl_kernel_kptr_restrict_value: '2'
var_slub_debug_options: FZP
var_selinux_policy_name: targeted
var_selinux_state: enforcing
var_polyinstantiation_enabled: 'true'
var_selinuxuser_execheap: 'false'
var_selinuxuser_execstack: 'false'
var_ssh_sysadm_login: 'false'
var_postfix_root_mail_alias: change_me@localhost
var_postfix_inet_interfaces: loopback-only
var_multiple_time_servers: 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
var_sshd_set_keepalive: '0'
sshd_idle_timeout_value: '600'
DISA_STIG_RHEL_09_211015: true
DISA_STIG_RHEL_09_212040: true
DISA_STIG_RHEL_09_212045: true
DISA_STIG_RHEL_09_212050: true
DISA_STIG_RHEL_09_213010: true
DISA_STIG_RHEL_09_213015: true
DISA_STIG_RHEL_09_213025: true
DISA_STIG_RHEL_09_213030: true
DISA_STIG_RHEL_09_213035: true
DISA_STIG_RHEL_09_213070: true
DISA_STIG_RHEL_09_213075: true
DISA_STIG_RHEL_09_213080: true
DISA_STIG_RHEL_09_214010: true
DISA_STIG_RHEL_09_214015: true
DISA_STIG_RHEL_09_214020: true
DISA_STIG_RHEL_09_214025: true
DISA_STIG_RHEL_09_215020: true
DISA_STIG_RHEL_09_215030: true
DISA_STIG_RHEL_09_215035: true
DISA_STIG_RHEL_09_215040: true
DISA_STIG_RHEL_09_215060: true
DISA_STIG_RHEL_09_231050: true
DISA_STIG_RHEL_09_231055: true
DISA_STIG_RHEL_09_231100: true
DISA_STIG_RHEL_09_231130: true
DISA_STIG_RHEL_09_231135: true
DISA_STIG_RHEL_09_231150: true
DISA_STIG_RHEL_09_231155: true
DISA_STIG_RHEL_09_231180: true
DISA_STIG_RHEL_09_231185: true
DISA_STIG_RHEL_09_231200: true
DISA_STIG_RHEL_09_232055: true
DISA_STIG_RHEL_09_232065: true
DISA_STIG_RHEL_09_232075: true
DISA_STIG_RHEL_09_232110: true
DISA_STIG_RHEL_09_232150: true
DISA_STIG_RHEL_09_232240: true
DISA_STIG_RHEL_09_232245: true
DISA_STIG_RHEL_09_232270: true
DISA_STIG_RHEL_09_251045: true
DISA_STIG_RHEL_09_252010: true
DISA_STIG_RHEL_09_253010: true
DISA_STIG_RHEL_09_253015: true
DISA_STIG_RHEL_09_253020: true
DISA_STIG_RHEL_09_253035: true
DISA_STIG_RHEL_09_253040: true
DISA_STIG_RHEL_09_253045: true
DISA_STIG_RHEL_09_253050: true
DISA_STIG_RHEL_09_253060: true
DISA_STIG_RHEL_09_253065: true
DISA_STIG_RHEL_09_253070: true
DISA_STIG_RHEL_09_254015: true
DISA_STIG_RHEL_09_254020: true
DISA_STIG_RHEL_09_254035: true
DISA_STIG_RHEL_09_254040: true
DISA_STIG_RHEL_09_255045: true
DISA_STIG_RHEL_09_255095: true
DISA_STIG_RHEL_09_255100: true
DISA_STIG_RHEL_09_255120: true
DISA_STIG_RHEL_09_411010: true
DISA_STIG_RHEL_09_411075: true
DISA_STIG_RHEL_09_411080: true
DISA_STIG_RHEL_09_411085: true
DISA_STIG_RHEL_09_411090: true
DISA_STIG_RHEL_09_412035: true
DISA_STIG_RHEL_09_412055: true
DISA_STIG_RHEL_09_412065: true
DISA_STIG_RHEL_09_412070: true
DISA_STIG_RHEL_09_431010: true
DISA_STIG_RHEL_09_431015: true
DISA_STIG_RHEL_09_432010: true
DISA_STIG_RHEL_09_432025: true
DISA_STIG_RHEL_09_611050: true
DISA_STIG_RHEL_09_611055: true
DISA_STIG_RHEL_09_611065: true
DISA_STIG_RHEL_09_611070: true
DISA_STIG_RHEL_09_611085: true
DISA_STIG_RHEL_09_611090: true
DISA_STIG_RHEL_09_611095: true
DISA_STIG_RHEL_09_611100: true
DISA_STIG_RHEL_09_611110: true
DISA_STIG_RHEL_09_651010: true
DISA_STIG_RHEL_09_651015: true
DISA_STIG_RHEL_09_651030: true
DISA_STIG_RHEL_09_651035: true
DISA_STIG_RHEL_09_652015: true
DISA_STIG_RHEL_09_652055: true
DISA_STIG_RHEL_09_653010: true
DISA_STIG_RHEL_09_653015: true
DISA_STIG_RHEL_09_653125: true
DISA_STIG_RHEL_09_654015: true
DISA_STIG_RHEL_09_654020: true
DISA_STIG_RHEL_09_654025: true
DISA_STIG_RHEL_09_654065: true
DISA_STIG_RHEL_09_654070: true
DISA_STIG_RHEL_09_654075: true
DISA_STIG_RHEL_09_654080: true
DISA_STIG_RHEL_09_654105: true
DISA_STIG_RHEL_09_654150: true
DISA_STIG_RHEL_09_654210: true
DISA_STIG_RHEL_09_654225: true
DISA_STIG_RHEL_09_654230: true
DISA_STIG_RHEL_09_654235: true
DISA_STIG_RHEL_09_654240: true
DISA_STIG_RHEL_09_654245: true
DISA_STIG_RHEL_09_654250: true
DISA_STIG_RHEL_09_654255: true
DISA_STIG_RHEL_09_654275: true
accounts_maximum_age_login_defs: true
accounts_password_minlen_login_defs: true
accounts_password_pam_dcredit: true
accounts_password_pam_lcredit: true
accounts_password_pam_minlen: true
accounts_password_pam_ocredit: true
accounts_password_pam_ucredit: true
accounts_password_pam_unix_remember: true
accounts_password_pam_unix_rounds_password_auth: true
accounts_password_pam_unix_rounds_system_auth: true
accounts_passwords_pam_faillock_deny: true
accounts_passwords_pam_faillock_deny_root: true
accounts_passwords_pam_faillock_interval: true
accounts_passwords_pam_faillock_unlock_time: true
accounts_tmout: true
accounts_umask_etc_bashrc: true
accounts_umask_etc_login_defs: true
accounts_umask_etc_profile: true
aide_build_database: true
aide_periodic_cron_checking: true
aide_scan_notification: true
aide_verify_acls: true
aide_verify_ext_attributes: true
audit_rules_dac_modification_chmod: true
audit_rules_dac_modification_chown: true
audit_rules_dac_modification_fchmod: true
audit_rules_dac_modification_fchmodat: true
audit_rules_dac_modification_fchown: true
audit_rules_dac_modification_fchownat: true
audit_rules_dac_modification_fremovexattr: true
audit_rules_dac_modification_fsetxattr: true
audit_rules_dac_modification_lchown: true
audit_rules_dac_modification_lremovexattr: true
audit_rules_dac_modification_lsetxattr: true
audit_rules_dac_modification_removexattr: true
audit_rules_dac_modification_setxattr: true
audit_rules_dac_modification_umount2: true
audit_rules_file_deletion_events_rename: true
audit_rules_file_deletion_events_renameat: true
audit_rules_file_deletion_events_rmdir: true
audit_rules_file_deletion_events_unlink: true
audit_rules_file_deletion_events_unlinkat: true
audit_rules_immutable: true
audit_rules_kernel_module_loading_delete: true
audit_rules_kernel_module_loading_finit: true
audit_rules_kernel_module_loading_init: true
audit_rules_login_events_faillock: true
audit_rules_login_events_lastlog: true
audit_rules_mac_modification: true
audit_rules_media_export: true
audit_rules_networkconfig_modification: true
audit_rules_privileged_commands: true
audit_rules_privileged_commands_kmod: true
audit_rules_privileged_commands_sudo: true
audit_rules_session_events: true
audit_rules_sysadmin_actions: true
audit_rules_time_adjtimex: true
audit_rules_time_clock_settime: true
audit_rules_time_stime: true
audit_rules_time_watch_localtime: true
audit_rules_unsuccessful_file_modification_creat: true
audit_rules_unsuccessful_file_modification_ftruncate: true
audit_rules_unsuccessful_file_modification_open: true
audit_rules_unsuccessful_file_modification_openat: true
audit_rules_unsuccessful_file_modification_truncate: true
audit_rules_usergroup_modification_group: true
audit_rules_usergroup_modification_gshadow: true
audit_rules_usergroup_modification_opasswd: true
audit_rules_usergroup_modification_passwd: true
audit_rules_usergroup_modification_shadow: true
audit_sudo_log_events: true
chronyd_specify_remote_server: true
configure_strategy: true
dir_perms_world_writable_root_owned: true
dir_perms_world_writable_sticky_bits: true
disable_strategy: true
enable_authselect: true
enable_strategy: true
ensure_gpgcheck_globally_activated: true
ensure_gpgcheck_local_packages: true
ensure_gpgcheck_never_disabled: true
ensure_logrotate_activated: true
ensure_redhat_gpgkey_installed: true
file_owner_etc_gshadow: true
file_owner_etc_shadow: true
file_permissions_etc_group: true
file_permissions_etc_gshadow: true
file_permissions_etc_passwd: true
file_permissions_etc_shadow: true
file_permissions_sshd_private_key: true
grub2_enable_iommu_force: true
grub2_l1tf_argument: true
grub2_mce_argument: true
grub2_mds_argument: true
grub2_nosmap_argument_absent: true
grub2_nosmep_argument_absent: true
grub2_page_alloc_shuffle_argument: true
grub2_page_poison_argument: true
grub2_pti_argument: true
grub2_rng_core_default_quality_argument: true
grub2_slab_nomerge_argument: true
grub2_slub_debug_argument: true
grub2_spec_store_bypass_disable_argument: true
grub2_spectre_v2_argument: true
high_disruption: true
high_severity: true
low_complexity: true
low_disruption: true
low_severity: true
medium_complexity: true
medium_disruption: true
medium_severity: true
mount_option_boot_noexec: true
mount_option_boot_nosuid: true
mount_option_home_noexec: true
mount_option_home_nosuid: true
mount_option_nodev_nonroot_local_partitions: true
mount_option_opt_nosuid: true
mount_option_srv_nosuid: true
mount_option_tmp_noexec: true
mount_option_tmp_nosuid: true
mount_option_var_log_noexec: true
mount_option_var_log_nosuid: true
mount_option_var_noexec: true
mount_option_var_nosuid: true
mount_option_var_tmp_noexec: true
mount_option_var_tmp_nosuid: true
no_direct_root_logins: true
no_reboot_needed: true
package_aide_installed: true
package_audit_installed: true
package_chrony_installed: true
package_dhcp_removed: true
package_dnf_automatic_installed: true
package_logrotate_installed: true
package_rsh_removed: true
package_rsh_server_removed: true
package_rsyslog_gnutls_installed: true
package_sendmail_removed: true
package_setroubleshoot_plugins_removed: true
package_setroubleshoot_removed: true
package_setroubleshoot_server_removed: true
package_sudo_installed: true
package_talk_removed: true
package_talk_server_removed: true
package_telnet_removed: true
package_telnet_server_removed: true
package_tftp_removed: true
package_tftp_server_removed: true
package_xinetd_removed: true
package_ypbind_removed: true
package_ypserv_removed: true
patch_strategy: true
postfix_client_configure_mail_alias: true
postfix_network_listening_disabled: true
reboot_required: true
restrict_strategy: true
rsyslog_files_groupownership: true
rsyslog_files_ownership: true
rsyslog_files_permissions: true
rsyslog_remote_loghost: true
rsyslog_remote_tls: true
sebool_polyinstantiation_enabled: true
sebool_selinuxuser_execheap: true
sebool_selinuxuser_execstack: true
sebool_ssh_sysadm_login: true
security_patches_up_to_date: true
selinux_policytype: true
selinux_state: true
service_auditd_enabled: true
set_password_hashing_algorithm_systemauth: true
skip_ansible_lint: true
sshd_disable_root_login: true
sshd_set_idle_timeout: true
sshd_set_keepalive: true
sudo_add_noexec: true
sudo_add_requiretty: true
sudo_add_use_pty: true
sudo_remove_no_authenticate: true
sudo_remove_nopasswd: true
sysctl_fs_protected_fifos: true
sysctl_fs_protected_hardlinks: true
sysctl_fs_protected_regular: true
sysctl_fs_protected_symlinks: true
sysctl_fs_suid_dumpable: true
sysctl_kernel_dmesg_restrict: true
sysctl_kernel_kptr_restrict: true
sysctl_kernel_modules_disabled: true
sysctl_kernel_panic_on_oops: true
sysctl_kernel_perf_cpu_time_max_percent: true
sysctl_kernel_perf_event_max_sample_rate: true
sysctl_kernel_perf_event_paranoid: true
sysctl_kernel_pid_max: true
sysctl_kernel_randomize_va_space: true
sysctl_kernel_sysrq: true
sysctl_kernel_unprivileged_bpf_disabled: true
sysctl_kernel_yama_ptrace_scope: true
sysctl_net_core_bpf_jit_harden: true
sysctl_net_ipv4_conf_all_accept_local: true
sysctl_net_ipv4_conf_all_accept_redirects: true
sysctl_net_ipv4_conf_all_accept_source_route: true
sysctl_net_ipv4_conf_all_arp_filter: true
sysctl_net_ipv4_conf_all_arp_ignore: true
sysctl_net_ipv4_conf_all_drop_gratuitous_arp: true
sysctl_net_ipv4_conf_all_route_localnet: true
sysctl_net_ipv4_conf_all_rp_filter: true
sysctl_net_ipv4_conf_all_secure_redirects: true
sysctl_net_ipv4_conf_all_send_redirects: true
sysctl_net_ipv4_conf_all_shared_media: true
sysctl_net_ipv4_conf_default_accept_redirects: true
sysctl_net_ipv4_conf_default_accept_source_route: true
sysctl_net_ipv4_conf_default_rp_filter: true
sysctl_net_ipv4_conf_default_secure_redirects: true
sysctl_net_ipv4_conf_default_send_redirects: true
sysctl_net_ipv4_conf_default_shared_media: true
sysctl_net_ipv4_icmp_ignore_bogus_error_responses: true
sysctl_net_ipv4_ip_forward: true
sysctl_net_ipv4_ip_local_port_range: true
sysctl_net_ipv4_tcp_rfc1337: true
sysctl_net_ipv4_tcp_syncookies: true
sysctl_net_ipv6_conf_all_accept_ra_defrtr: true
sysctl_net_ipv6_conf_all_accept_ra_pinfo: true
sysctl_net_ipv6_conf_all_accept_ra_rtr_pref: true
sysctl_net_ipv6_conf_all_accept_redirects: true
sysctl_net_ipv6_conf_all_accept_source_route: true
sysctl_net_ipv6_conf_all_autoconf: true
sysctl_net_ipv6_conf_all_max_addresses: true
sysctl_net_ipv6_conf_all_router_solicitations: true
sysctl_net_ipv6_conf_default_accept_ra_defrtr: true
sysctl_net_ipv6_conf_default_accept_ra_pinfo: true
sysctl_net_ipv6_conf_default_accept_ra_rtr_pref: true
sysctl_net_ipv6_conf_default_accept_redirects: true
sysctl_net_ipv6_conf_default_accept_source_route: true
sysctl_net_ipv6_conf_default_autoconf: true
sysctl_net_ipv6_conf_default_max_addresses: true
sysctl_net_ipv6_conf_default_router_solicitations: true
sysctl_vm_mmap_min_addr: true
timer_logrotate_enabled: true
unknown_severity: true
unknown_strategy: true