-
Notifications
You must be signed in to change notification settings - Fork 8
/
main.yml
385 lines (385 loc) · 12.8 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
---
# defaults file for rhel8_cui
var_system_crypto_policy: FIPS:OSPP
var_authselect_profile: minimal
var_password_pam_unix_remember: '5'
var_accounts_passwords_pam_faillock_deny: '3'
var_accounts_passwords_pam_faillock_fail_interval: '900'
var_accounts_passwords_pam_faillock_unlock_time: '0'
var_password_pam_dcredit: '-1'
var_password_pam_difok: '4'
var_password_pam_lcredit: '-1'
var_password_pam_maxclassrepeat: '4'
var_password_pam_maxrepeat: '3'
var_password_pam_minlen: '12'
var_password_pam_ocredit: '-1'
var_password_pam_ucredit: '-1'
var_accounts_max_concurrent_login_sessions: '10'
var_accounts_user_umask: '027'
var_auditd_flush: incremental_async
var_auditd_name_format: hostname
sysctl_net_ipv6_conf_all_accept_ra_value: '0'
sysctl_net_ipv6_conf_all_accept_redirects_value: '0'
sysctl_net_ipv6_conf_all_accept_source_route_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_value: '0'
sysctl_net_ipv6_conf_default_accept_redirects_value: '0'
sysctl_net_ipv6_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_accept_redirects_value: '0'
sysctl_net_ipv4_conf_all_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_log_martians_value: '1'
sysctl_net_ipv4_conf_all_rp_filter_value: '1'
sysctl_net_ipv4_conf_all_secure_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_default_log_martians_value: '1'
sysctl_net_ipv4_conf_default_rp_filter_value: '1'
sysctl_net_ipv4_conf_default_secure_redirects_value: '0'
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
sysctl_net_ipv4_tcp_syncookies_value: '1'
sysctl_kernel_kptr_restrict_value: '1'
var_slub_debug_options: P
var_selinux_policy_name: targeted
var_selinux_state: enforcing
var_ssh_client_rekey_limit_size: 1G
var_ssh_client_rekey_limit_time: 1h
sshd_idle_timeout_value: '840'
var_rekey_limit_size: 1G
var_rekey_limit_time: 1h
DISA_STIG_RHEL_08_010019: true
DISA_STIG_RHEL_08_010020: true
DISA_STIG_RHEL_08_010040: true
DISA_STIG_RHEL_08_010151: true
DISA_STIG_RHEL_08_010161: true
DISA_STIG_RHEL_08_010162: true
DISA_STIG_RHEL_08_010170: true
DISA_STIG_RHEL_08_010171: true
DISA_STIG_RHEL_08_010201: true
DISA_STIG_RHEL_08_010287: true
DISA_STIG_RHEL_08_010292: true
DISA_STIG_RHEL_08_010293: true
DISA_STIG_RHEL_08_010359: true
DISA_STIG_RHEL_08_010370: true
DISA_STIG_RHEL_08_010371: true
DISA_STIG_RHEL_08_010372: true
DISA_STIG_RHEL_08_010373: true
DISA_STIG_RHEL_08_010374: true
DISA_STIG_RHEL_08_010375: true
DISA_STIG_RHEL_08_010376: true
DISA_STIG_RHEL_08_010421: true
DISA_STIG_RHEL_08_010422: true
DISA_STIG_RHEL_08_010423: true
DISA_STIG_RHEL_08_010450: true
DISA_STIG_RHEL_08_010500: true
DISA_STIG_RHEL_08_010521: true
DISA_STIG_RHEL_08_010522: true
DISA_STIG_RHEL_08_010550: true
DISA_STIG_RHEL_08_010570: true
DISA_STIG_RHEL_08_010571: true
DISA_STIG_RHEL_08_010580: true
DISA_STIG_RHEL_08_010670: true
DISA_STIG_RHEL_08_010671: true
DISA_STIG_RHEL_08_010672: true
DISA_STIG_RHEL_08_010673: true
DISA_STIG_RHEL_08_010674: true
DISA_STIG_RHEL_08_010675: true
DISA_STIG_RHEL_08_020011: true
DISA_STIG_RHEL_08_020012: true
DISA_STIG_RHEL_08_020013: true
DISA_STIG_RHEL_08_020014: true
DISA_STIG_RHEL_08_020015: true
DISA_STIG_RHEL_08_020024: true
DISA_STIG_RHEL_08_020039: true
DISA_STIG_RHEL_08_020040: true
DISA_STIG_RHEL_08_020070: true
DISA_STIG_RHEL_08_020110: true
DISA_STIG_RHEL_08_020120: true
DISA_STIG_RHEL_08_020130: true
DISA_STIG_RHEL_08_020140: true
DISA_STIG_RHEL_08_020150: true
DISA_STIG_RHEL_08_020170: true
DISA_STIG_RHEL_08_020230: true
DISA_STIG_RHEL_08_020280: true
DISA_STIG_RHEL_08_020330: true
DISA_STIG_RHEL_08_020331: true
DISA_STIG_RHEL_08_020332: true
DISA_STIG_RHEL_08_020353: true
DISA_STIG_RHEL_08_030061: true
DISA_STIG_RHEL_08_030062: true
DISA_STIG_RHEL_08_030063: true
DISA_STIG_RHEL_08_030180: true
DISA_STIG_RHEL_08_030181: true
DISA_STIG_RHEL_08_030601: true
DISA_STIG_RHEL_08_030602: true
DISA_STIG_RHEL_08_030670: true
DISA_STIG_RHEL_08_030741: true
DISA_STIG_RHEL_08_030742: true
DISA_STIG_RHEL_08_040001: true
DISA_STIG_RHEL_08_040002: true
DISA_STIG_RHEL_08_040004: true
DISA_STIG_RHEL_08_040021: true
DISA_STIG_RHEL_08_040022: true
DISA_STIG_RHEL_08_040023: true
DISA_STIG_RHEL_08_040024: true
DISA_STIG_RHEL_08_040025: true
DISA_STIG_RHEL_08_040026: true
DISA_STIG_RHEL_08_040100: true
DISA_STIG_RHEL_08_040101: true
DISA_STIG_RHEL_08_040111: true
DISA_STIG_RHEL_08_040120: true
DISA_STIG_RHEL_08_040121: true
DISA_STIG_RHEL_08_040122: true
DISA_STIG_RHEL_08_040123: true
DISA_STIG_RHEL_08_040124: true
DISA_STIG_RHEL_08_040125: true
DISA_STIG_RHEL_08_040126: true
DISA_STIG_RHEL_08_040127: true
DISA_STIG_RHEL_08_040128: true
DISA_STIG_RHEL_08_040129: true
DISA_STIG_RHEL_08_040130: true
DISA_STIG_RHEL_08_040131: true
DISA_STIG_RHEL_08_040132: true
DISA_STIG_RHEL_08_040133: true
DISA_STIG_RHEL_08_040134: true
DISA_STIG_RHEL_08_040135: true
DISA_STIG_RHEL_08_040136: true
DISA_STIG_RHEL_08_040139: true
DISA_STIG_RHEL_08_040141: true
DISA_STIG_RHEL_08_040159: true
DISA_STIG_RHEL_08_040161: true
DISA_STIG_RHEL_08_040170: true
DISA_STIG_RHEL_08_040172: true
DISA_STIG_RHEL_08_040180: true
DISA_STIG_RHEL_08_040209: true
DISA_STIG_RHEL_08_040210: true
DISA_STIG_RHEL_08_040220: true
DISA_STIG_RHEL_08_040230: true
DISA_STIG_RHEL_08_040239: true
DISA_STIG_RHEL_08_040240: true
DISA_STIG_RHEL_08_040249: true
DISA_STIG_RHEL_08_040250: true
DISA_STIG_RHEL_08_040261: true
DISA_STIG_RHEL_08_040262: true
DISA_STIG_RHEL_08_040270: true
DISA_STIG_RHEL_08_040279: true
DISA_STIG_RHEL_08_040280: true
DISA_STIG_RHEL_08_040281: true
DISA_STIG_RHEL_08_040282: true
DISA_STIG_RHEL_08_040283: true
DISA_STIG_RHEL_08_040284: true
DISA_STIG_RHEL_08_040285: true
DISA_STIG_RHEL_08_040286: true
DISA_STIG_RHEL_08_040370: true
DISA_STIG_RHEL_08_040380: true
accounts_max_concurrent_login_sessions: true
accounts_password_pam_dcredit: true
accounts_password_pam_difok: true
accounts_password_pam_lcredit: true
accounts_password_pam_maxclassrepeat: true
accounts_password_pam_maxrepeat: true
accounts_password_pam_minlen: true
accounts_password_pam_ocredit: true
accounts_password_pam_ucredit: true
accounts_password_pam_unix_remember: true
accounts_passwords_pam_faillock_deny: true
accounts_passwords_pam_faillock_interval: true
accounts_passwords_pam_faillock_unlock_time: true
accounts_umask_etc_bashrc: true
accounts_umask_etc_csh_cshrc: true
accounts_umask_etc_profile: true
audit_access_failed: true
audit_access_success: true
audit_basic_configuration: true
audit_create_failed: true
audit_create_success: true
audit_delete_failed: true
audit_delete_success: true
audit_immutable_login_uids: true
audit_modify_failed: true
audit_modify_success: true
audit_module_load: true
audit_ospp_general: true
audit_owner_change_failed: true
audit_owner_change_success: true
audit_perm_change_failed: true
audit_perm_change_success: true
auditd_data_retention_flush: true
auditd_freq: true
auditd_local_events: true
auditd_log_format: true
auditd_name_format: true
auditd_write_logs: true
chronyd_client_only: true
chronyd_no_chronyc_network: true
configure_bashrc_exec_tmux: true
configure_crypto_policy: true
configure_kerberos_crypto_policy: true
configure_libreswan_crypto_policy: true
configure_openssl_crypto_policy: true
configure_ssh_crypto_policy: true
configure_strategy: true
configure_tmux_lock_after_time: true
configure_tmux_lock_command: true
coredump_disable_backtraces: true
coredump_disable_storage: true
disable_ctrlaltdel_burstaction: true
disable_ctrlaltdel_reboot: true
disable_host_auth: true
disable_strategy: true
disable_users_coredumps: true
enable_authselect: true
enable_dracut_fips_module: true
enable_fips_mode: true
enable_strategy: true
ensure_gpgcheck_globally_activated: true
ensure_gpgcheck_local_packages: true
ensure_gpgcheck_never_disabled: true
ensure_redhat_gpgkey_installed: true
grub2_audit_argument: true
grub2_audit_backlog_limit_argument: true
grub2_disable_recovery: true
grub2_kernel_trust_cpu_rng: true
grub2_page_poison_argument: true
grub2_pti_argument: true
grub2_slub_debug_argument: true
grub2_vsyscall_argument: true
high_disruption: true
high_severity: true
kerberos_disable_no_keytab: true
kernel_module_atm_disabled: true
kernel_module_bluetooth_disabled: true
kernel_module_can_disabled: true
kernel_module_cramfs_disabled: true
kernel_module_sctp_disabled: true
kernel_module_tipc_disabled: true
low_complexity: true
low_disruption: true
low_severity: true
medium_complexity: true
medium_disruption: true
medium_severity: true
mount_option_boot_nodev: true
mount_option_boot_nosuid: true
mount_option_dev_shm_nodev: true
mount_option_dev_shm_noexec: true
mount_option_dev_shm_nosuid: true
mount_option_home_nodev: true
mount_option_home_nosuid: true
mount_option_nodev_nonroot_local_partitions: true
mount_option_tmp_nodev: true
mount_option_tmp_noexec: true
mount_option_tmp_nosuid: true
mount_option_var_log_audit_nodev: true
mount_option_var_log_audit_noexec: true
mount_option_var_log_audit_nosuid: true
mount_option_var_log_nodev: true
mount_option_var_log_noexec: true
mount_option_var_log_nosuid: true
mount_option_var_nodev: true
mount_option_var_tmp_nodev: true
mount_option_var_tmp_noexec: true
mount_option_var_tmp_nosuid: true
no_empty_passwords: true
no_reboot_needed: true
openssl_use_strong_entropy: true
package_abrt_addon_ccpp_removed: true
package_abrt_addon_kerneloops_removed: true
package_abrt_cli_removed: true
package_abrt_plugin_sosreport_removed: true
package_abrt_removed: true
package_aide_installed: true
package_audit_installed: true
package_chrony_installed: true
package_crypto_policies_installed: true
package_dnf_automatic_installed: true
package_dnf_plugin_subscription_manager_installed: true
package_fapolicyd_installed: true
package_firewalld_installed: true
package_gnutls_utils_installed: true
package_gssproxy_removed: true
package_iprutils_removed: true
package_krb5_workstation_removed: true
package_libreport_plugin_logger_removed: true
package_libreport_plugin_rhtsupport_removed: true
package_nfs_utils_removed: true
package_openscap_scanner_installed: true
package_openssh_clients_installed: true
package_openssh_server_installed: true
package_policycoreutils_installed: true
package_policycoreutils_python_utils_installed: true
package_python3_abrt_addon_removed: true
package_rsyslog_installed: true
package_scap_security_guide_installed: true
package_sendmail_removed: true
package_subscription_manager_installed: true
package_sudo_installed: true
package_tmux_installed: true
package_usbguard_installed: true
reboot_required: true
require_singleuser_auth: true
restrict_strategy: true
securetty_root_login_console_only: true
selinux_policytype: true
selinux_state: true
service_auditd_enabled: true
service_debug_shell_disabled: true
service_fapolicyd_enabled: true
service_firewalld_enabled: true
service_kdump_disabled: true
service_systemd_coredump_disabled: true
service_usbguard_enabled: true
ssh_client_rekey_limit: true
ssh_client_use_strong_rng_csh: true
ssh_client_use_strong_rng_sh: true
sshd_disable_empty_passwords: true
sshd_disable_gssapi_auth: true
sshd_disable_kerb_auth: true
sshd_disable_root_login: true
sshd_enable_strictmodes: true
sshd_enable_warning_banner: true
sshd_rekey_limit: true
sshd_set_idle_timeout: true
sshd_set_keepalive_0: true
sshd_use_strong_rng: true
sysctl_fs_protected_hardlinks: true
sysctl_fs_protected_symlinks: true
sysctl_kernel_core_pattern: true
sysctl_kernel_dmesg_restrict: true
sysctl_kernel_kexec_load_disabled: true
sysctl_kernel_kptr_restrict: true
sysctl_kernel_perf_event_paranoid: true
sysctl_kernel_unprivileged_bpf_disabled: true
sysctl_kernel_yama_ptrace_scope: true
sysctl_net_core_bpf_jit_harden: true
sysctl_net_ipv4_conf_all_accept_redirects: true
sysctl_net_ipv4_conf_all_accept_source_route: true
sysctl_net_ipv4_conf_all_log_martians: true
sysctl_net_ipv4_conf_all_rp_filter: true
sysctl_net_ipv4_conf_all_secure_redirects: true
sysctl_net_ipv4_conf_all_send_redirects: true
sysctl_net_ipv4_conf_default_accept_redirects: true
sysctl_net_ipv4_conf_default_accept_source_route: true
sysctl_net_ipv4_conf_default_log_martians: true
sysctl_net_ipv4_conf_default_rp_filter: true
sysctl_net_ipv4_conf_default_secure_redirects: true
sysctl_net_ipv4_conf_default_send_redirects: true
sysctl_net_ipv4_icmp_echo_ignore_broadcasts: true
sysctl_net_ipv4_icmp_ignore_bogus_error_responses: true
sysctl_net_ipv4_ip_forward: true
sysctl_net_ipv4_tcp_syncookies: true
sysctl_net_ipv6_conf_all_accept_ra: true
sysctl_net_ipv6_conf_all_accept_redirects: true
sysctl_net_ipv6_conf_all_accept_source_route: true
sysctl_net_ipv6_conf_default_accept_ra: true
sysctl_net_ipv6_conf_default_accept_redirects: true
sysctl_net_ipv6_conf_default_accept_source_route: true
sysctl_user_max_user_namespaces: true
unknown_severity: true
unknown_strategy: true
usbguard_allow_hid_and_hub: true
use_pam_wheel_for_su: true
zipl_audit_argument: true
zipl_audit_backlog_limit_argument: true
zipl_bootmap_is_up_to_date: true
zipl_page_poison_argument: true
zipl_slub_debug_argument: true