-
Notifications
You must be signed in to change notification settings - Fork 4
/
main.yml
243 lines (243 loc) · 7.68 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
---
# defaults file for rhel9_cui
var_system_crypto_policy: FIPS:OSPP
var_authselect_profile: minimal
var_accounts_passwords_pam_faillock_deny: '3'
var_accounts_passwords_pam_faillock_fail_interval: '900'
var_accounts_passwords_pam_faillock_unlock_time: '0'
var_password_pam_dcredit: '-1'
var_password_pam_lcredit: '-1'
var_password_pam_minlen: '12'
var_password_pam_ocredit: '-1'
var_password_pam_ucredit: '-1'
var_auditd_flush: incremental_async
var_auditd_name_format: hostname
sysctl_kernel_unprivileged_bpf_disabled_value: '2'
sysctl_kernel_kptr_restrict_value: '1'
var_selinux_policy_name: targeted
var_selinux_state: enforcing
var_ssh_client_rekey_limit_size: 1G
var_ssh_client_rekey_limit_time: 1h
var_rekey_limit_size: 1G
var_rekey_limit_time: 1h
DISA_STIG_RHEL_09_211045: true
DISA_STIG_RHEL_09_211050: true
DISA_STIG_RHEL_09_211055: true
DISA_STIG_RHEL_09_212035: true
DISA_STIG_RHEL_09_212055: true
DISA_STIG_RHEL_09_213010: true
DISA_STIG_RHEL_09_213015: true
DISA_STIG_RHEL_09_213020: true
DISA_STIG_RHEL_09_213025: true
DISA_STIG_RHEL_09_213050: true
DISA_STIG_RHEL_09_213060: true
DISA_STIG_RHEL_09_213065: true
DISA_STIG_RHEL_09_213080: true
DISA_STIG_RHEL_09_213100: true
DISA_STIG_RHEL_09_213105: true
DISA_STIG_RHEL_09_213115: true
DISA_STIG_RHEL_09_214010: true
DISA_STIG_RHEL_09_214015: true
DISA_STIG_RHEL_09_214020: true
DISA_STIG_RHEL_09_214025: true
DISA_STIG_RHEL_09_215010: true
DISA_STIG_RHEL_09_215080: true
DISA_STIG_RHEL_09_231160: true
DISA_STIG_RHEL_09_231165: true
DISA_STIG_RHEL_09_231170: true
DISA_STIG_RHEL_09_251010: true
DISA_STIG_RHEL_09_251015: true
DISA_STIG_RHEL_09_252010: true
DISA_STIG_RHEL_09_252025: true
DISA_STIG_RHEL_09_255010: true
DISA_STIG_RHEL_09_255020: true
DISA_STIG_RHEL_09_255025: true
DISA_STIG_RHEL_09_255040: true
DISA_STIG_RHEL_09_255045: true
DISA_STIG_RHEL_09_255055: true
DISA_STIG_RHEL_09_255080: true
DISA_STIG_RHEL_09_255090: true
DISA_STIG_RHEL_09_255135: true
DISA_STIG_RHEL_09_255140: true
DISA_STIG_RHEL_09_291015: true
DISA_STIG_RHEL_09_291020: true
DISA_STIG_RHEL_09_291035: true
DISA_STIG_RHEL_09_411075: true
DISA_STIG_RHEL_09_411085: true
DISA_STIG_RHEL_09_411090: true
DISA_STIG_RHEL_09_412010: true
DISA_STIG_RHEL_09_412015: true
DISA_STIG_RHEL_09_412020: true
DISA_STIG_RHEL_09_412025: true
DISA_STIG_RHEL_09_431010: true
DISA_STIG_RHEL_09_431015: true
DISA_STIG_RHEL_09_432010: true
DISA_STIG_RHEL_09_432035: true
DISA_STIG_RHEL_09_433010: true
DISA_STIG_RHEL_09_433015: true
DISA_STIG_RHEL_09_611025: true
DISA_STIG_RHEL_09_611065: true
DISA_STIG_RHEL_09_611070: true
DISA_STIG_RHEL_09_611090: true
DISA_STIG_RHEL_09_611100: true
DISA_STIG_RHEL_09_611110: true
DISA_STIG_RHEL_09_611200: true
DISA_STIG_RHEL_09_653010: true
DISA_STIG_RHEL_09_653015: true
DISA_STIG_RHEL_09_653060: true
DISA_STIG_RHEL_09_653095: true
DISA_STIG_RHEL_09_653100: true
DISA_STIG_RHEL_09_653120: true
DISA_STIG_RHEL_09_671010: true
DISA_STIG_RHEL_09_672010: true
DISA_STIG_RHEL_09_672030: true
DISA_STIG_RHEL_09_672035: true
DISA_STIG_RHEL_09_672045: true
accounts_password_pam_dcredit: true
accounts_password_pam_lcredit: true
accounts_password_pam_minlen: true
accounts_password_pam_ocredit: true
accounts_password_pam_ucredit: true
accounts_passwords_pam_faillock_deny: true
accounts_passwords_pam_faillock_interval: true
accounts_passwords_pam_faillock_unlock_time: true
audit_access_failed: true
audit_access_failed_aarch64: true
audit_access_failed_ppc64le: true
audit_access_success: true
audit_access_success_aarch64: true
audit_access_success_ppc64le: true
audit_basic_configuration: true
audit_create_failed: true
audit_create_failed_aarch64: true
audit_create_failed_ppc64le: true
audit_create_success: true
audit_create_success_aarch64: true
audit_create_success_ppc64le: true
audit_delete_failed: true
audit_delete_failed_aarch64: true
audit_delete_failed_ppc64le: true
audit_delete_success: true
audit_delete_success_aarch64: true
audit_delete_success_ppc64le: true
audit_immutable_login_uids: true
audit_modify_failed: true
audit_modify_failed_aarch64: true
audit_modify_failed_ppc64le: true
audit_modify_success: true
audit_modify_success_aarch64: true
audit_modify_success_ppc64le: true
audit_module_load: true
audit_module_load_ppc64le: true
audit_ospp_general: true
audit_ospp_general_aarch64: true
audit_ospp_general_ppc64le: true
audit_owner_change_failed: true
audit_owner_change_failed_aarch64: true
audit_owner_change_failed_ppc64le: true
audit_owner_change_success: true
audit_owner_change_success_aarch64: true
audit_owner_change_success_ppc64le: true
audit_perm_change_failed: true
audit_perm_change_failed_aarch64: true
audit_perm_change_failed_ppc64le: true
audit_perm_change_success: true
audit_perm_change_success_aarch64: true
audit_perm_change_success_ppc64le: true
auditd_data_retention_flush: true
auditd_freq: true
auditd_log_format: true
auditd_name_format: true
chronyd_client_only: true
configure_bashrc_exec_tmux: true
configure_crypto_policy: true
configure_openssl_crypto_policy: true
configure_ssh_crypto_policy: true
configure_strategy: true
configure_tmux_lock_after_time: true
configure_tmux_lock_command: true
disable_ctrlaltdel_burstaction: true
disable_ctrlaltdel_reboot: true
disable_host_auth: true
disable_strategy: true
enable_authselect: true
enable_dracut_fips_module: true
enable_fips_mode: true
enable_strategy: true
ensure_gpgcheck_globally_activated: true
ensure_gpgcheck_local_packages: true
ensure_gpgcheck_never_disabled: true
ensure_redhat_gpgkey_installed: true
grub2_audit_argument: true
grub2_audit_backlog_limit_argument: true
grub2_disable_recovery: true
grub2_init_on_alloc_argument: true
grub2_page_alloc_shuffle_argument: true
grub2_vsyscall_argument: true
high_disruption: true
high_severity: true
kernel_module_bluetooth_disabled: true
kernel_module_can_disabled: true
kernel_module_sctp_disabled: true
kernel_module_tipc_disabled: true
low_complexity: true
low_disruption: true
low_severity: true
medium_complexity: true
medium_disruption: true
medium_severity: true
mount_option_var_log_audit_nodev: true
mount_option_var_log_audit_noexec: true
mount_option_var_log_audit_nosuid: true
no_empty_passwords: true
no_reboot_needed: true
package_audit_installed: true
package_chrony_installed: true
package_crypto_policies_installed: true
package_dnf_automatic_installed: true
package_fapolicyd_installed: true
package_firewalld_installed: true
package_gnutls_utils_installed: true
package_openscap_scanner_installed: true
package_openssh_clients_installed: true
package_openssh_server_installed: true
package_scap_security_guide_installed: true
package_subscription_manager_installed: true
package_sudo_installed: true
package_tmux_installed: true
package_usbguard_installed: true
reboot_required: true
require_singleuser_auth: true
restrict_strategy: true
selinux_policytype: true
selinux_state: true
service_auditd_enabled: true
service_debug_shell_disabled: true
service_fapolicyd_enabled: true
service_firewalld_enabled: true
service_kdump_disabled: true
service_systemd_coredump_disabled: true
service_usbguard_enabled: true
ssh_client_rekey_limit: true
sshd_disable_empty_passwords: true
sshd_disable_gssapi_auth: true
sshd_disable_kerb_auth: true
sshd_disable_root_login: true
sshd_enable_warning_banner: true
sshd_rekey_limit: true
sysctl_kernel_core_pattern_empty_string: true
sysctl_kernel_core_uses_pid: true
sysctl_kernel_dmesg_restrict: true
sysctl_kernel_kexec_load_disabled: true
sysctl_kernel_kptr_restrict: true
sysctl_kernel_perf_event_paranoid: true
sysctl_kernel_unprivileged_bpf_disabled_accept_default: true
sysctl_kernel_yama_ptrace_scope: true
sysctl_user_max_user_namespaces: true
unknown_strategy: true
usbguard_allow_hid_and_hub: true
use_pam_wheel_for_su: true
zipl_audit_argument: true
zipl_audit_backlog_limit_argument: true
zipl_init_on_alloc_argument: true
zipl_page_alloc_shuffle_argument: true