-
Notifications
You must be signed in to change notification settings - Fork 20
/
main.yml
376 lines (376 loc) · 13 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
---
# defaults file for rhel7_pci_dss
inactivity_timeout_value: '900'
var_screensaver_lock_delay: '10'
var_sudo_logfile: /var/log/sudo.log
var_sudo_timestamp_timeout: '5'
var_password_pam_remember: '4'
var_password_pam_remember_control_flag: requisite,required
var_password_pam_unix_remember: '4'
var_accounts_passwords_pam_faillock_deny: '10'
var_accounts_passwords_pam_faillock_unlock_time: '1800'
var_password_pam_dcredit: '-1'
var_password_pam_lcredit: '-1'
var_password_pam_minlen: '12'
var_password_hashing_algorithm: SHA512
var_account_disable_post_pw_expiration: '90'
var_accounts_maximum_age_login_defs: '90'
var_accounts_password_warn_age_login_defs: '7'
var_pam_wheel_group_for_su: sugroup
var_accounts_tmout: '600'
var_accounts_passwords_pam_faillock_dir: /var/log/faillock
var_auditd_admin_space_left_action: single
var_auditd_space_left: '100'
var_auditd_space_left_action: email
var_auditd_name_format: fqd
sysctl_net_ipv6_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_rp_filter_value: '1'
sysctl_net_ipv4_conf_all_secure_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_redirects_value: '0'
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
sysctl_net_ipv4_tcp_syncookies_value: '1'
var_selinux_policy_name: targeted
var_selinux_state: enforcing
var_postfix_inet_interfaces: loopback-only
var_multiple_time_servers: 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
var_sshd_set_keepalive: '0'
sshd_idle_timeout_value: '900'
var_sshd_set_login_grace_time: '60'
sshd_max_auth_tries_value: '4'
var_sshd_max_sessions: '10'
var_sshd_set_maxstartups: 10:30:100
sshd_approved_ciphers: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,[email protected]
sshd_approved_macs: hmac-sha2-512,hmac-sha2-256,hmac-sha1,[email protected],[email protected],[email protected]
sshd_strong_kex: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
DISA_STIG_RHEL_07_010010: true
DISA_STIG_RHEL_07_010019: true
DISA_STIG_RHEL_07_010020: true
DISA_STIG_RHEL_07_010060: true
DISA_STIG_RHEL_07_010070: true
DISA_STIG_RHEL_07_010082: true
DISA_STIG_RHEL_07_010100: true
DISA_STIG_RHEL_07_010110: true
DISA_STIG_RHEL_07_010130: true
DISA_STIG_RHEL_07_010140: true
DISA_STIG_RHEL_07_010200: true
DISA_STIG_RHEL_07_010210: true
DISA_STIG_RHEL_07_010220: true
DISA_STIG_RHEL_07_010250: true
DISA_STIG_RHEL_07_010260: true
DISA_STIG_RHEL_07_010270: true
DISA_STIG_RHEL_07_010280: true
DISA_STIG_RHEL_07_010290: true
DISA_STIG_RHEL_07_010291: true
DISA_STIG_RHEL_07_010300: true
DISA_STIG_RHEL_07_010310: true
DISA_STIG_RHEL_07_010320: true
DISA_STIG_RHEL_07_010343: true
DISA_STIG_RHEL_07_010440: true
DISA_STIG_RHEL_07_010450: true
DISA_STIG_RHEL_07_010460: true
DISA_STIG_RHEL_07_010470: true
DISA_STIG_RHEL_07_020000: true
DISA_STIG_RHEL_07_020010: true
DISA_STIG_RHEL_07_020029: true
DISA_STIG_RHEL_07_020030: true
DISA_STIG_RHEL_07_020050: true
DISA_STIG_RHEL_07_020100: true
DISA_STIG_RHEL_07_020101: true
DISA_STIG_RHEL_07_020111: true
DISA_STIG_RHEL_07_020210: true
DISA_STIG_RHEL_07_020220: true
DISA_STIG_RHEL_07_020260: true
DISA_STIG_RHEL_07_020310: true
DISA_STIG_RHEL_07_021110: true
DISA_STIG_RHEL_07_021120: true
DISA_STIG_RHEL_07_021710: true
DISA_STIG_RHEL_07_030000: true
DISA_STIG_RHEL_07_030211: true
DISA_STIG_RHEL_07_030340: true
DISA_STIG_RHEL_07_030360: true
DISA_STIG_RHEL_07_030370: true
DISA_STIG_RHEL_07_030410: true
DISA_STIG_RHEL_07_030440: true
DISA_STIG_RHEL_07_030600: true
DISA_STIG_RHEL_07_030610: true
DISA_STIG_RHEL_07_030620: true
DISA_STIG_RHEL_07_030700: true
DISA_STIG_RHEL_07_030740: true
DISA_STIG_RHEL_07_030870: true
DISA_STIG_RHEL_07_030871: true
DISA_STIG_RHEL_07_030872: true
DISA_STIG_RHEL_07_030873: true
DISA_STIG_RHEL_07_030874: true
DISA_STIG_RHEL_07_030910: true
DISA_STIG_RHEL_07_040160: true
DISA_STIG_RHEL_07_040201: true
DISA_STIG_RHEL_07_040320: true
DISA_STIG_RHEL_07_040350: true
DISA_STIG_RHEL_07_040370: true
DISA_STIG_RHEL_07_040410: true
DISA_STIG_RHEL_07_040420: true
DISA_STIG_RHEL_07_040520: true
DISA_STIG_RHEL_07_040530: true
DISA_STIG_RHEL_07_040611: true
DISA_STIG_RHEL_07_040630: true
DISA_STIG_RHEL_07_040640: true
DISA_STIG_RHEL_07_040650: true
DISA_STIG_RHEL_07_040660: true
DISA_STIG_RHEL_07_040670: true
DISA_STIG_RHEL_07_040700: true
DISA_STIG_RHEL_07_040710: true
DISA_STIG_RHEL_07_040740: true
DISA_STIG_RHEL_07_041010: true
DISA_STIG_RHEL_07_910055: true
account_disable_post_pw_expiration: true
accounts_maximum_age_login_defs: true
accounts_no_uid_except_zero: true
accounts_password_pam_dcredit: true
accounts_password_pam_lcredit: true
accounts_password_pam_minlen: true
accounts_password_pam_pwhistory_remember_password_auth: true
accounts_password_pam_pwhistory_remember_system_auth: true
accounts_password_pam_unix_remember: true
accounts_password_set_max_life_existing: true
accounts_password_set_warn_age_existing: true
accounts_password_warn_age_login_defs: true
accounts_passwords_pam_faillock_deny: true
accounts_passwords_pam_faillock_unlock_time: true
accounts_set_post_pw_existing: true
accounts_tmout: true
aide_build_database: true
aide_periodic_cron_checking: true
audit_rules_dac_modification_chmod: true
audit_rules_dac_modification_chown: true
audit_rules_dac_modification_fchmod: true
audit_rules_dac_modification_fchmodat: true
audit_rules_dac_modification_fchown: true
audit_rules_dac_modification_fchownat: true
audit_rules_dac_modification_fremovexattr: true
audit_rules_dac_modification_fsetxattr: true
audit_rules_dac_modification_lchown: true
audit_rules_dac_modification_lremovexattr: true
audit_rules_dac_modification_lsetxattr: true
audit_rules_dac_modification_removexattr: true
audit_rules_dac_modification_setxattr: true
audit_rules_file_deletion_events_rename: true
audit_rules_file_deletion_events_renameat: true
audit_rules_file_deletion_events_rmdir: true
audit_rules_file_deletion_events_unlink: true
audit_rules_file_deletion_events_unlinkat: true
audit_rules_immutable: true
audit_rules_login_events_faillock: true
audit_rules_login_events_lastlog: true
audit_rules_login_events_tallylog: true
audit_rules_mac_modification: true
audit_rules_media_export: true
audit_rules_networkconfig_modification: true
audit_rules_session_events: true
audit_rules_suid_privilege_function: true
audit_rules_sysadmin_actions: true
audit_rules_time_adjtimex: true
audit_rules_time_clock_settime: true
audit_rules_time_settimeofday: true
audit_rules_time_stime: true
audit_rules_time_watch_localtime: true
audit_rules_usergroup_modification_group: true
audit_rules_usergroup_modification_gshadow: true
audit_rules_usergroup_modification_opasswd: true
audit_rules_usergroup_modification_passwd: true
audit_rules_usergroup_modification_shadow: true
audit_sudo_log_events: true
auditd_audispd_syslog_plugin_activated: true
auditd_data_retention_admin_space_left_action: true
auditd_data_retention_space_left: true
auditd_data_retention_space_left_action: true
auditd_name_format: true
chronyd_run_as_chrony_user: true
chronyd_specify_remote_server: true
configure_strategy: true
coredump_disable_backtraces: true
coredump_disable_storage: true
dconf_db_up_to_date: true
dconf_gnome_disable_automount: true
dconf_gnome_disable_automount_open: true
dconf_gnome_screensaver_idle_activation_enabled: true
dconf_gnome_screensaver_idle_delay: true
dconf_gnome_screensaver_lock_delay: true
dconf_gnome_screensaver_lock_enabled: true
dconf_gnome_screensaver_mode_blank: true
dconf_gnome_session_idle_user_locks: true
dir_perms_world_writable_sticky_bits: true
directory_access_var_log_audit: true
disable_host_auth: true
disable_strategy: true
disable_users_coredumps: true
display_login_attempts: true
enable_strategy: true
ensure_gpgcheck_globally_activated: true
ensure_gpgcheck_never_disabled: true
ensure_pam_wheel_group_empty: true
ensure_redhat_gpgkey_installed: true
file_at_deny_not_exist: true
file_cron_deny_not_exist: true
file_groupowner_backup_etc_group: true
file_groupowner_backup_etc_passwd: true
file_groupowner_backup_etc_shadow: true
file_groupowner_cron_allow: true
file_groupowner_cron_d: true
file_groupowner_cron_daily: true
file_groupowner_cron_hourly: true
file_groupowner_cron_monthly: true
file_groupowner_cron_weekly: true
file_groupowner_crontab: true
file_groupowner_etc_group: true
file_groupowner_etc_issue_net: true
file_groupowner_etc_passwd: true
file_groupowner_etc_shadow: true
file_groupowner_grub2_cfg: true
file_groupowner_user_cfg: true
file_owner_backup_etc_group: true
file_owner_backup_etc_passwd: true
file_owner_backup_etc_shadow: true
file_owner_cron_allow: true
file_owner_cron_d: true
file_owner_cron_daily: true
file_owner_cron_hourly: true
file_owner_cron_monthly: true
file_owner_cron_weekly: true
file_owner_crontab: true
file_owner_etc_group: true
file_owner_etc_issue_net: true
file_owner_etc_passwd: true
file_owner_etc_shadow: true
file_owner_grub2_cfg: true
file_owner_user_cfg: true
file_permissions_backup_etc_group: true
file_permissions_backup_etc_passwd: true
file_permissions_backup_etc_shadow: true
file_permissions_cron_allow: true
file_permissions_cron_d: true
file_permissions_cron_daily: true
file_permissions_cron_hourly: true
file_permissions_cron_monthly: true
file_permissions_cron_weekly: true
file_permissions_crontab: true
file_permissions_etc_group: true
file_permissions_etc_issue_net: true
file_permissions_etc_passwd: true
file_permissions_etc_shadow: true
file_permissions_grub2_cfg: true
file_permissions_sshd_config: true
file_permissions_sshd_private_key: true
file_permissions_sshd_pub_key: true
file_permissions_user_cfg: true
file_permissions_var_log_audit: true
gnome_gdm_disable_automatic_login: true
gnome_gdm_disable_guest_login: true
grub2_audit_argument: true
grub2_audit_backlog_limit_argument: true
grub2_enable_selinux: true
high_complexity: true
high_disruption: true
high_severity: true
kernel_module_dccp_disabled: true
kernel_module_sctp_disabled: true
low_complexity: true
low_disruption: true
low_severity: true
medium_complexity: true
medium_disruption: true
medium_severity: true
network_nmcli_permissions: true
network_sniffer_disabled: true
no_direct_root_logins: true
no_empty_passwords: true
no_empty_passwords_etc_shadow: true
no_password_auth_for_systemaccounts: true
no_reboot_needed: true
no_shelllogin_for_systemaccounts: true
ntpd_specify_remote_server: true
package_aide_installed: true
package_audispd_plugins_installed: true
package_audit_installed: true
package_chrony_installed: true
package_cryptsetup_luks_installed: true
package_dhcp_removed: true
package_ftp_removed: true
package_libselinux_installed: true
package_logrotate_installed: true
package_net_snmp_removed: true
package_nftables_installed: true
package_rsh_removed: true
package_rsh_server_removed: true
package_sudo_installed: true
package_talk_removed: true
package_talk_server_removed: true
package_telnet_removed: true
package_telnet_server_removed: true
package_tftp_removed: true
package_tftp_server_removed: true
package_xinetd_removed: true
package_ypbind_removed: true
package_ypserv_removed: true
patch_strategy: true
postfix_network_listening_disabled: true
reboot_required: true
restrict_strategy: true
rpm_verify_hashes: true
rpm_verify_ownership: true
rsyslog_files_groupownership: true
rsyslog_files_ownership: true
rsyslog_files_permissions: true
securetty_root_login_console_only: true
security_patches_up_to_date: true
selinux_policytype: true
selinux_state: true
service_auditd_enabled: true
service_avahi_daemon_disabled: true
service_chronyd_or_ntpd_enabled: true
service_firewalld_enabled: true
service_nftables_disabled: true
service_ntpd_enabled: true
service_rpcbind_disabled: true
service_rsyncd_disabled: true
set_password_hashing_algorithm_libuserconf: true
set_password_hashing_algorithm_logindefs: true
set_password_hashing_algorithm_systemauth: true
skip_ansible_lint: true
sshd_disable_empty_passwords: true
sshd_disable_rhosts: true
sshd_disable_root_login: true
sshd_disable_tcp_forwarding: true
sshd_disable_x11_forwarding: true
sshd_do_not_permit_user_env: true
sshd_enable_pam: true
sshd_set_idle_timeout: true
sshd_set_keepalive: true
sshd_set_login_grace_time: true
sshd_set_loglevel_verbose: true
sshd_set_max_auth_tries: true
sshd_set_max_sessions: true
sshd_set_maxstartups: true
sshd_use_approved_ciphers: true
sshd_use_approved_macs: true
sshd_use_strong_kex: true
sudo_add_use_pty: true
sudo_custom_logfile: true
sudo_require_authentication: true
sudo_require_reauthentication: true
sysctl_fs_suid_dumpable: true
sysctl_kernel_randomize_va_space: true
sysctl_net_ipv4_conf_all_rp_filter: true
sysctl_net_ipv4_conf_all_secure_redirects: true
sysctl_net_ipv4_conf_all_send_redirects: true
sysctl_net_ipv4_conf_default_accept_redirects: true
sysctl_net_ipv4_conf_default_send_redirects: true
sysctl_net_ipv4_icmp_echo_ignore_broadcasts: true
sysctl_net_ipv4_icmp_ignore_bogus_error_responses: true
sysctl_net_ipv4_ip_forward: true
sysctl_net_ipv4_tcp_syncookies: true
sysctl_net_ipv6_conf_default_accept_source_route: true
unknown_severity: true
unknown_strategy: true
use_pam_wheel_group_for_su: true
wireless_disable_interfaces: true