forked from ansible-lockdown/RHEL7-CIS
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.yml
386 lines (354 loc) · 9.61 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
---
# defaults file for RHEL7-CIS
rhel7cis_skip_for_travis: false
rhel7cis_notauto: false
rhel7cis_section1: true
rhel7cis_section2: true
rhel7cis_section3: true
rhel7cis_section4: true
rhel7cis_section5: true
rhel7cis_section6: true
rhel7cis_selinux_disable: false
# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
# You must enable an entire section in order for the variables below to take effect.
# Section 1 rules
rhel7cis_rule_1_1_1_1: true
rhel7cis_rule_1_1_1_2: true
rhel7cis_rule_1_1_1_3: true
rhel7cis_rule_1_1_1_4: true
rhel7cis_rule_1_1_1_5: true
rhel7cis_rule_1_1_1_6: true
rhel7cis_rule_1_1_1_7: true
rhel7cis_rule_1_1_1_8: true
rhel7cis_rule_1_1_2: true
rhel7cis_rule_1_1_3: true
rhel7cis_rule_1_1_4: true
rhel7cis_rule_1_1_5: true
rhel7cis_rule_1_1_6: true
rhel7cis_rule_1_1_7: true
rhel7cis_rule_1_1_8: true
rhel7cis_rule_1_1_9: true
rhel7cis_rule_1_1_10: true
rhel7cis_rule_1_1_11: true
rhel7cis_rule_1_1_12: true
rhel7cis_rule_1_1_13: true
rhel7cis_rule_1_1_14: true
rhel7cis_rule_1_1_15: true
rhel7cis_rule_1_1_16: true
rhel7cis_rule_1_1_17: true
rhel7cis_rule_1_1_18: true
rhel7cis_rule_1_1_19: true
rhel7cis_rule_1_1_20: true
rhel7cis_rule_1_1_21: true
rhel7cis_rule_1_1_22: true
rhel7cis_rule_1_2_1: true
rhel7cis_rule_1_2_2: true
rhel7cis_rule_1_2_3: true
rhel7cis_rule_1_2_4: true
rhel7cis_rule_1_2_5: true
rhel7cis_rule_1_3_1: true
rhel7cis_rule_1_3_2: true
rhel7cis_rule_1_4_1: true
rhel7cis_rule_1_4_2: true
rhel7cis_rule_1_4_3: true
rhel7cis_rule_1_5_1: true
rhel7cis_rule_1_5_2: true
rhel7cis_rule_1_5_3: true
rhel7cis_rule_1_5_4: true
rhel7cis_rule_1_6_1_1: true
rhel7cis_rule_1_6_1_2: true
rhel7cis_rule_1_6_1_3: true
rhel7cis_rule_1_6_1_4: true
rhel7cis_rule_1_6_1_5: true
rhel7cis_rule_1_6_2: true
rhel7cis_rule_1_7_1_1: true
rhel7cis_rule_1_7_1_2: true
rhel7cis_rule_1_7_1_3: true
rhel7cis_rule_1_7_1_4: true
rhel7cis_rule_1_7_1_5: true
rhel7cis_rule_1_7_1_6: true
rhel7cis_rule_1_7_2: true
rhel7cis_rule_1_8: true
# Section 2 rules
rhel7cis_rule_2_1_1: true
rhel7cis_rule_2_1_2: true
rhel7cis_rule_2_1_3: true
rhel7cis_rule_2_1_4: true
rhel7cis_rule_2_1_5: true
rhel7cis_rule_2_1_6: true
rhel7cis_rule_2_1_7: true
rhel7cis_rule_2_2_1_1: true
rhel7cis_rule_2_2_1_2: true
rhel7cis_rule_2_2_1_3: true
rhel7cis_rule_2_2_2: true
rhel7cis_rule_2_2_3: true
rhel7cis_rule_2_2_4: true
rhel7cis_rule_2_2_5: true
rhel7cis_rule_2_2_6: true
rhel7cis_rule_2_2_7: true
rhel7cis_rule_2_2_8: true
rhel7cis_rule_2_2_9: true
rhel7cis_rule_2_2_10: true
rhel7cis_rule_2_2_11: true
rhel7cis_rule_2_2_12: true
rhel7cis_rule_2_2_13: true
rhel7cis_rule_2_2_14: true
rhel7cis_rule_2_2_15: true
rhel7cis_rule_2_2_16: true
rhel7cis_rule_2_2_17: true
rhel7cis_rule_2_2_18: true
rhel7cis_rule_2_2_19: true
rhel7cis_rule_2_2_20: true
rhel7cis_rule_2_2_21: true
rhel7cis_rule_2_3_1: true
rhel7cis_rule_2_3_2: true
rhel7cis_rule_2_3_3: true
rhel7cis_rule_2_3_4: true
rhel7cis_rule_2_3_5: true
# Section 3 rules
rhel7cis_rule_3_1_1: true
rhel7cis_rule_3_1_2: true
rhel7cis_rule_3_2_1: true
rhel7cis_rule_3_2_2: true
rhel7cis_rule_3_2_3: true
rhel7cis_rule_3_2_4: true
rhel7cis_rule_3_2_5: true
rhel7cis_rule_3_2_6: true
rhel7cis_rule_3_2_7: true
rhel7cis_rule_3_2_8: true
rhel7cis_rule_3_3_1: true
rhel7cis_rule_3_3_2: true
rhel7cis_rule_3_3_3: true
rhel7cis_rule_3_4_1: true
rhel7cis_rule_3_4_2: true
rhel7cis_rule_3_4_3: true
rhel7cis_rule_3_4_4: true
rhel7cis_rule_3_4_5: true
rhel7cis_rule_3_5_1: true
rhel7cis_rule_3_5_2: true
rhel7cis_rule_3_5_3: true
rhel7cis_rule_3_5_4: true
rhel7cis_rule_3_6_1: true
rhel7cis_rule_3_6_2: true
rhel7cis_rule_3_6_3: true
rhel7cis_rule_3_6_4: true
rhel7cis_rule_3_6_5: true
# Section 4 rules
rhel7cis_rule_4_1_1_1: true
rhel7cis_rule_4_1_1_2: true
rhel7cis_rule_4_1_1_3: true
rhel7cis_rule_4_1_2: true
rhel7cis_rule_4_1_3: true
rhel7cis_rule_4_1_4: true
rhel7cis_rule_4_1_5: true
rhel7cis_rule_4_1_6: true
rhel7cis_rule_4_1_7: true
rhel7cis_rule_4_1_8: true
rhel7cis_rule_4_1_9: true
rhel7cis_rule_4_1_10: true
rhel7cis_rule_4_1_11: true
rhel7cis_rule_4_1_12: true
rhel7cis_rule_4_1_13: true
rhel7cis_rule_4_1_14: true
rhel7cis_rule_4_1_15: true
rhel7cis_rule_4_1_16: true
rhel7cis_rule_4_1_17: true
rhel7cis_rule_4_1_18: true
rhel7cis_rule_4_2_3: true
rhel7cis_rule_4_2_1_1: true
rhel7cis_rule_4_2_1_2: true
rhel7cis_rule_4_2_1_3: true
rhel7cis_rule_4_2_1_4: true
rhel7cis_rule_4_2_1_5: true
rhel7cis_rule_4_2_2_1: true
rhel7cis_rule_4_2_2_2: true
rhel7cis_rule_4_2_2_3: true
rhel7cis_rule_4_2_2_4: true
rhel7cis_rule_4_2_2_5: true
rhel7cis_rule_4_2_4: true
# Section 5 rules
rhel7cis_rule_5_1_1: true
rhel7cis_rule_5_1_2: true
rhel7cis_rule_5_1_3: true
rhel7cis_rule_5_1_4: true
rhel7cis_rule_5_1_5: true
rhel7cis_rule_5_1_6: true
rhel7cis_rule_5_1_7: true
rhel7cis_rule_5_1_8: true
rhel7cis_rule_5_2_1: true
rhel7cis_rule_5_2_2: true
rhel7cis_rule_5_2_3: true
rhel7cis_rule_5_2_4: true
rhel7cis_rule_5_2_5: true
rhel7cis_rule_5_2_6: true
rhel7cis_rule_5_2_7: true
rhel7cis_rule_5_2_8: true
rhel7cis_rule_5_2_9: true
rhel7cis_rule_5_2_10: true
rhel7cis_rule_5_2_11: true
rhel7cis_rule_5_2_12: true
rhel7cis_rule_5_2_13: true
rhel7cis_rule_5_2_14: true
rhel7cis_rule_5_2_15: true
rhel7cis_rule_5_2_16: true
rhel7cis_rule_5_3_1: true
rhel7cis_rule_5_3_2: true
rhel7cis_rule_5_3_3: true
rhel7cis_rule_5_3_4: true
rhel7cis_rule_5_4_1_1: true
rhel7cis_rule_5_4_1_2: true
rhel7cis_rule_5_4_1_3: true
rhel7cis_rule_5_4_1_4: true
rhel7cis_rule_5_4_2: true
rhel7cis_rule_5_4_3: true
rhel7cis_rule_5_4_4: true
# Section 6 rules
rhel7cis_rule_6_1_1: true
rhel7cis_rule_6_1_2: true
rhel7cis_rule_6_1_3: true
rhel7cis_rule_6_1_4: true
rhel7cis_rule_6_1_5: true
rhel7cis_rule_6_1_6: true
rhel7cis_rule_6_1_7: true
rhel7cis_rule_6_1_8: true
rhel7cis_rule_6_1_9: true
rhel7cis_rule_6_1_10: true
rhel7cis_rule_6_1_11: true
rhel7cis_rule_6_1_12: true
rhel7cis_rule_6_1_13: true
rhel7cis_rule_6_1_14: true
rhel7cis_rule_6_2_1: true
rhel7cis_rule_6_2_2: true
rhel7cis_rule_6_2_3: true
rhel7cis_rule_6_2_4: true
rhel7cis_rule_6_2_5: true
rhel7cis_rule_6_2_6: true
rhel7cis_rule_6_2_7: true
rhel7cis_rule_6_2_8: true
rhel7cis_rule_6_2_9: true
rhel7cis_rule_6_2_10: true
rhel7cis_rule_6_2_11: true
rhel7cis_rule_6_2_12: true
rhel7cis_rule_6_2_14: true
rhel7cis_rule_6_2_15: true
rhel7cis_rule_6_2_16: true
rhel7cis_rule_6_2_17: true
rhel7cis_rule_6_2_18: true
rhel7cis_rule_6_2_19: true
# Service configuration booleans set true to keep service
rhel7cis_avahi_server: false
rhel7cis_cups_server: false
rhel7cis_dhcp_server: false
rhel7cis_ldap_server: false
rhel7cis_telnet_server: false
rhel7cis_nfs_server: false
rhel7cis_rpc_server: false
rhel7cis_ntalk_server: false
rhel7cis_rsyncd_server: false
rhel7cis_tftp_server: false
rhel7cis_rsh_server: false
rhel7cis_nis_server: false
rhel7cis_snmp_server: false
rhel7cis_squid_server: false
rhel7cis_smb_server: false
rhel7cis_dovecot_server: false
rhel7cis_httpd_server: false
rhel7cis_vsftpd_server: false
rhel7cis_named_server: false
rhel7cis_nfs_rpc_server: false
rhel7cis_is_mail_server: false
rhel7cis_bind: false
rhel7cis_vsftpd: false
rhel7cis_httpd: false
rhel7cis_dovecot: false
rhel7cis_samba: false
rhel7cis_squid: false
rhel7cis_net_snmp: false
rhel7cis_allow_autofs: false
# xinetd required
rhel7cis_xinetd_required: false
# RedHat Satellite Subscription items
rhel7cis_rhnsd_required: false
# 1.4.2 Bootloader password
rhel7cis_bootloader_password: random
rhel7cis_set_boot_pass: false
# System network parameters (host only OR host and router)
rhel7cis_is_router: false
# IPv6 required
rhel7cis_ipv6_required: true
# AIDE
rhel7cis_config_aide: true
# AIDE cron settings
rhel7cis_aide_cron:
cron_user: root
cron_file: /etc/crontab
aide_job: '/usr/sbin/aide --check'
aide_minute: 0
aide_hour: 5
aide_day: '*'
aide_month: '*'
aide_weekday: '*'
# SELinux policy
rhel7cis_selinux_pol: targeted
# Whether or not to run tasks related to auditing/patching the desktop environment
rhel7cis_gui: no
# Set to 'true' if X Windows is needed in your environment
rhel7cis_xwindows_required: no
rhel7cis_openldap_clients_required: false
rhel7cis_telnet_required: false
rhel7cis_talk_required: false
rhel7cis_rsh_required: false
rhel7cis_ypbind_required: false
# Time Synchronization
rhel7cis_time_synchronization: chrony
#rhel7cis_time_synchronization: ntp
rhel7cis_time_synchronization_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured
rhel7cis_host_allow:
- "10.0.0.0/255.0.0.0"
- "172.16.0.0/255.240.0.0"
- "192.168.0.0/255.255.0.0"
rhel7cis_firewall: firewalld
#rhel7cis_firewall: iptables
rhel7cis_firewall_services:
- ssh
- dhcpv6-client
# Warning Banner Content (issue, issue.net, motd)
rhel7cis_warning_banner: |
Authorized uses only. All activity may be monitored and reported.
# End Banner
## Section4 vars
rhel7cis_auditd:
admin_space_left_action: halt
max_log_file_action: keep_logs
rhel7cis_logrotate: "daily"
## Section5 vars
rhel7cis_sshd:
clientalivecountmax: 3
clientaliveinterval: 300
ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
macs: "[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]"
logingracetime: 60
# - make sure you understand the precedence when working with these values!!
#allowusers:
#allowgroups: systems dba
#denyusers:
#denygroups:
rhel7cis_pass:
max_days: 90
min_days: 7
warn_age: 7
# Syslog system
rhel7cis_syslog: rsyslog
#rhel7cis_syslog: syslog-ng
rhel7cis_vartmp:
source: /tmp
fstype: none
opts: "defaults, nodev, nosuid, noexec, bind"
enabled: no