defaults/main.yml

---

## STIG category to run
rhel7stig_cat1_patch: true
rhel7stig_cat2_patch: true
rhel7stig_cat3_patch: true

## Python Binary
## This is used for python3 Installations where python2 OS modules are used in ansible
python2_bin: /bin/python2.7

## Benchmark name used by auditing control role
# audit variable found at the base
benchmark: RHEL7-STIG
## metadata for Audit benchmark
benchmark_version: 'v3r14'

# Whether to skip the reboot
rhel7stig_skip_reboot: true

# With CentOS being EoL many mirrors no longer exist and fail for updates
# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo
# It will add the new vaulted location where it is possible to get updates and package
rhel7stig_add_updated_repo: false

###########################################
### Goss is required on the remote host ###
### vars/auditd.yml for other settings  ###

# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
setup_audit: false

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true

## Only run Audit do not remediate
audit_only: false
### As part of audit_only ###
# This will enable files to be copied back to control node in audit_only mode
fetch_audit_files: false
# Path to copy the files to will create dir structure in audit_only mode
audit_capture_files_dir: /some/location to copy to on control node
#############################

# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
get_audit_binary_method: download

## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path

# how to get audit files onto host options
# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
audit_content: git

# If using either archive, copy, get_url:
## Note will work with .tar files - zip will require extra configuration
### If using get_url this is expecting github url in tar.gz format e.g.
### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
audit_conf_source: "some path or url to copy from"

# Destination for the audit content to be placed on managed node
# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
audit_conf_dest: "/opt"

# Where the audit logs are stored
audit_log_dir: '/opt'

### Goss Settings ##
####### END ########

#### Detailed settings found at the end of this document ####

# We've defined complexity-high to mean that we cannot automatically remediate
# the rule in question.  In the future this might mean that the remediation
# may fail in some cases.
rhel7stig_complexity_high: false

# Show "changed" for complex items not remediated per complexity-high setting
# to make them stand out.  "changed" items on a second run of the role would
# indicate items requiring manual review.
rhel7stig_audit_complex: true

# We've defined disruption-high to indicate items that are likely to cause
# disruption in a normal workflow.  These items can be remediated automatically
# but are disabled by default to avoid disruption.
rhel7stig_disruption_high: false

# Show "changed" for disruptive items not remediated per disruption-high
# setting to make them stand out.
rhel7stig_audit_disruptive: true

# Skip controls that conflict with travis environments
rhel7stig_skip_for_travis: false

rhel7stig_workaround_for_disa_benchmark: true
rhel7stig_workaround_for_ssg_benchmark: true

# tweak role to run in a chroot, such as in kickstart %post script
rhel7stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"

# tweak role to run in a non-privileged container
rhel7stig_system_is_container: false

# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
# in order for the variables below to take effect.
# CAT 1 rules
rhel_07_010010: true
rhel_07_010020: true
rhel_07_010290: true
rhel_07_010291: true
rhel_07_010300: true
rhel_07_010440: true
rhel_07_010450: true
# possibly removed
# rhel_07_010480: true
rhel_07_010482: true
# possibly removed
# rhel_07_010490: true
rhel_07_010491: true
rhel_07_020000: true
rhel_07_020010: true
rhel_07_020050: true
rhel_07_020060: true
rhel_07_020230: true
rhel_07_020231: true
# not an automated task
rhel_07_020250: true
rhel_07_020310: true
rhel_07_021350: true
rhel_07_021710: true
rhel_07_032000: true
rhel_07_040390: true
rhel_07_040540: true
rhel_07_040550: true
rhel_07_040690: true
rhel_07_040700: true
rhel_07_040800: true
# CAT 2 rules
rhel_07_010019: true
rhel_07_010030: "{{ rhel7stig_gui }}"
rhel_07_010040: "{{ rhel7stig_gui }}"
rhel_07_010050: true
rhel_07_010060: "{{ rhel7stig_gui }}"
rhel_07_010061: "{{ rhel7stig_gui }}"
rhel_07_010062: "{{ rhel7stig_gui }}"
rhel_07_010063: "{{ rhel7stig_gui }}"
rhel_07_010070: "{{ rhel7stig_gui }}"
rhel_07_010081: "{{ rhel7stig_gui }}"
rhel_07_010082: "{{ rhel7stig_gui }}"
rhel_07_010090: true
rhel_07_010100: "{{ rhel7stig_gui }}"
rhel_07_010101: "{{ rhel7stig_gui }}"
rhel_07_010110: "{{ rhel7stig_gui }}"
rhel_07_010118: true
rhel_07_010119: true
rhel_07_010120: true
rhel_07_010130: true
rhel_07_010140: true
rhel_07_010150: true
rhel_07_010160: true
rhel_07_010170: true
rhel_07_010180: true
rhel_07_010190: true
rhel_07_010199: true
rhel_07_010200: true
rhel_07_010210: true
rhel_07_010220: true
rhel_07_010230: true
rhel_07_010240: true
rhel_07_010250: true
rhel_07_010260: true
rhel_07_010270: true
rhel_07_010271: true
rhel_07_010280: true
rhel_07_010310: true
rhel_07_010320: true
rhel_07_010330: true
rhel_07_010339: true
rhel_07_010340: true
rhel_07_010341: true
rhel_07_010342: true
rhel_07_010343: true
rhel_07_010344: true
rhel_07_010350: true
rhel_07_010430: true
rhel_07_010460: true
rhel_07_010470: true
rhel_07_010481: true
rhel_07_010483: true
rhel_07_010492: true
rhel_07_010500: true
rhel_07_020019: true
rhel_07_020020: true
rhel_07_020021: true
rhel_07_020022: true
rhel_07_020023: true
rhel_07_020028: true  # Is required for 20030 &20040
rhel_07_020029: true
rhel_07_020030: true
# Send AIDE reports as mail notifications - Disabled by default as this is a non-ideal way to do notifications
rhel_07_020040: "{{ rhel7stig_disruption_high }}"
rhel_07_020100: true
rhel_07_020101: true
rhel_07_020110: true
rhel_07_020111: true
rhel_07_020210: true
rhel_07_020220: true
rhel_07_020240: true
rhel_07_020260: true
rhel_07_020270: true
rhel_07_020320: true
rhel_07_020330: true
rhel_07_020600: true
rhel_07_020610: true
rhel_07_020620: true
rhel_07_020630: true
rhel_07_020640: true
rhel_07_020650: true
rhel_07_020660: true
rhel_07_020670: true
rhel_07_020680: true
rhel_07_020690: true
rhel_07_020700: true
rhel_07_020710: true
rhel_07_020720: true
rhel_07_020730: true
rhel_07_020900: true
rhel_07_021000: true
rhel_07_021010: true
rhel_07_021020: true
rhel_07_021021: true
rhel_07_021030: true
rhel_07_021031: true
rhel_07_021040: true
rhel_07_021100: true
rhel_07_021110: true
rhel_07_021120: true
rhel_07_021300: true
rhel_07_021620: true
rhel_07_021700: true
rhel_07_030000: true
rhel_07_030010: true
rhel_07_030201: true
rhel_07_030210: true
rhel_07_030211: true
# if you set 030300 to 'true' ensure you define rhel7stig_audisp_remote_server
rhel_07_030300: "{{ rhel7stig_audisp_remote_server is defined }}"
rhel_07_030310: true
rhel_07_030320: true
rhel_07_030321: true
rhel_07_030330: true
rhel_07_030340: true
rhel_07_030350: true
rhel_07_030360: true
rhel_07_030370: true
rhel_07_030410: true
rhel_07_030440: true
rhel_07_030510: true
rhel_07_030560: true
rhel_07_030570: true
rhel_07_030580: true
rhel_07_030590: true
rhel_07_030610: true
rhel_07_030620: true
rhel_07_030630: true
rhel_07_030640: true
rhel_07_030650: true
rhel_07_030660: true
rhel_07_030670: true
rhel_07_030680: true
rhel_07_030690: true
rhel_07_030700: true
rhel_07_030710: true
rhel_07_030720: true
rhel_07_030740: true
rhel_07_030750: true
rhel_07_030760: true
rhel_07_030770: true
rhel_07_030780: true
rhel_07_030800: true
rhel_07_030810: true
rhel_07_030819: true
rhel_07_030820: true
rhel_07_030821: true
rhel_07_030830: true
rhel_07_030840: true
rhel_07_030870: true
rhel_07_030871: true
rhel_07_030872: true
rhel_07_030873: true
rhel_07_030874: true
rhel_07_030880: true
rhel_07_030890: true
rhel_07_030900: true
rhel_07_030910: true
rhel_07_030920: true
rhel_07_031000: true
rhel_07_031010: true
rhel_07_040100: true
rhel_07_040110: true
rhel_07_040160: true
rhel_07_040170: true
rhel_07_040180: true
rhel_07_040190: true
rhel_07_040200: true
rhel_07_040201: true
rhel_07_040300: true
rhel_07_040310: true
rhel_07_040320: true
rhel_07_040330: true
rhel_07_040340: true
rhel_07_040350: true
rhel_07_040360: true
rhel_07_040370: true
rhel_07_040380: true
rhel_07_040400: true
rhel_07_040410: true
rhel_07_040420: true
rhel_07_040430: true
rhel_07_040440: true
rhel_07_040450: true
rhel_07_040460: true
rhel_07_040470: true
rhel_07_040500: true
rhel_07_040520: true
rhel_07_040610: true
rhel_07_040611: true
rhel_07_040612: true
rhel_07_040620: true
rhel_07_040630: true
rhel_07_040640: true
rhel_07_040641: true
rhel_07_040650: true
rhel_07_040660: true
rhel_07_040670: true
rhel_07_040680: true
rhel_07_040710: true
rhel_07_040711: true
rhel_07_040712: true
rhel_07_040720: true
rhel_07_040730: true
rhel_07_040740: true
rhel_07_040750: true
rhel_07_040810: true
rhel_07_040820: true
rhel_07_040830: true
rhel_07_041001: true
rhel_07_041002: true
rhel_07_041003: true
rhel_07_041010: true
rhel_07_910055: true

# CAT 3 rules
rhel_07_010375: true
rhel_07_020200: true
rhel_07_020300: true
rhel_07_021024: true
rhel_07_021310: true
rhel_07_021320: true
rhel_07_021330: true
rhel_07_021340: true
rhel_07_021600: true
rhel_07_021610: true
rhel_07_040000: true
rhel_07_040530: true
rhel_07_040600: true

# Whether or not to run tasks related to auditing/patching the desktop environment - is discovered if using gnome
rhel7stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}"

# Whether to configure dconf rules unconditionally (ignoring presence of dconf
# or rhel7stig_gui)
rhel7stig_always_configure_dconf: false

# Whether or not to run tasks related to smart card authentication enforcement
rhel7stig_smartcard: false
# Configure your smartcard driver
rhel7stig_smartcarddriver: cackey

# RHEL_07_010310
# Must be 35 or less but not 0 or -1
rhel_07_010310_inactive: 35
# RHEL_07_020020
# Set "selinux_change_users" false to disable this control's actions and just report results.
# You will need to adjust the paths for installed HIPS/HBSS for this control.
# You will need to map both the local interactive and LDAP groups to map selinux user groups to.
# If LDAP is not in use, it will ignore the settings below and not attempt to map LDAP users.
rhel_07_020020_selinux_change_users: true
rhel_07_020020_hbbs_path: /opt/McAfee/Agent/bin
rhel_07_020020_hips_path: /opt/McAfee/Agent/bin
rhel_07_020020_selinux_ldap_maps: false
# rhel_07_020020_selinux_local_interactive_admin_group: wheel
rhel_07_020020_selinux_local_interactive_users_group: users
rhel_07_020020_selinux_local_interactive_staff_group: staff

# RHEL-07-020710
# Set standard user paths here
# Also set whether we should automatically remediate paths in user ini files.
rhel_07_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
rhel7stig_change_user_path: false

# RHEL-07-020730
# Do we change world-writable executable programs to mode 0755?
rhel_07_020730_wwp_change: true

# RHEL-07-020250
# This is a check for a "supported release"
# These are the minimum supported releases.
# (Red Hat has support for older versions if you pay extra for it.)
rhel7stig_min_supported_os_ver:
    RedHat: "7.9"
    CentOS: "7.9"
    OracleLinux: "7.9"

# RHEL-07-040740
# If system is not router, run tasks that disable router functions.
rhel7stig_system_is_router: false

# RHEL-07-032000
# Install and enable a DOD-approved AV program. ClamAV and McAfee (nails)
# are the currently approved applications. This variable is used in two separate
# tasks that will install the package and start and enable the service.

# Only set this to true if you have a valid
# antivirus solution in your repositories, else it will fail every time.
rhel7stig_antivirus_required: false

rhel7stig_av_package:
    package:
        - clamav
        - clamav-update
        - clamd
    service: clamd

rhel7stig_time_service: chronyd
rhel7stig_time_service_configs:
    chronyd:
        conf: /etc/chrony.conf
        block: |
          server 0.rhel.pool.ntp.org iburst maxpoll 10
          server 1.rhel.pool.ntp.org iburst maxpoll 10
          server 2.rhel.pool.ntp.org iburst maxpoll 10
          server 3.rhel.pool.ntp.org iburst maxpoll 10
    ntpd:
        conf: /etc/ntp.conf
        lines:
            - regexp: ^#?maxpoll
              line: maxpoll 10

# The firewall to be used
rhel7stig_firewall_service: firewalld
# The toggle to start the firewall service. Set to true the role will start the service for you where needed
rhel7stig_start_firewall_service: true

# allowed firewall ports and protocols as found in the command used to discover
rhel7stig_firewall_ports_protocols:
    - '22/tcp'
    - '546/udp'

# RHEL-07-031010
rhel7stig_system_is_log_aggregator: false

rhel7stig_use_fips: true
fips_value: '0'
rhel7stig_fips_ciphers: aes256-ctr,aes192-ctr,aes128-ctr
rhel7stig_fips_macs: hmac-sha2-512,hmac-sha2-256
rhel7stig_fips_kex: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
# RHEL-07-040300
# RHEL-07-040310
# Install and enable ssh on networked systems
rhel7stig_ssh_required: true
rhel7stig_ssh_ciphers: "{{ rhel7stig_fips_ciphers }}"
rhel7stig_ssh_macs: "{{ rhel7stig_fips_macs }}"
rhel7stig_ssh_kex: "{{ rhel7stig_fips_kex }}"

# RHEL-07-040490
# If not required, remove vsftpd.
rhel7stig_vsftpd_required: false

# RHEL-07-040500
# If not required, remove tftp
rhel7stig_tftp_required: false

# Service configuration booleans set true to keep service
rhel7stig_autofs_required: false
rhel7stig_kdump_required: false

# RHEL-07-040580
# Set the SNMP community string to this from the default of public or private
rhel7stig_snmp_community: Endgam3Ladyb0g

# whether to force role-specified packages to be installed regardless of the
# presence of another compliant equivalent
rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}"

# RHEL-07-010480 and RHEL-07-010490
# Password protect the boot loader

rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
rhel7stig_boot_superuser: root

# RHEL-07-021700 set the value for correctly configured grub bootloader sequence
# note this is different for bios and EFI boot types. so can be changed via the inventory or alternate vars
rhel7stig_grub_bootloader_validorder: "set root='hd0,1'"

# RHEL-07-040200 Path for cacrt bundle that holds LDAP certs for tls transport
rhel_07_040200_cabundle_path: etc/pki/tls/certs/ca-bundle.crt

# AIDE settings
# Set to false for fire and forget mode
rhel7stig_wait_for_aide_init: true
rhel7stig_aide_handler: "{{ (rhel7stig_wait_for_aide_init) | ternary('init aide and wait','init aide') }}"

# Set to false to not overwrite an existing AIDE DB
rhel7stig_overwrite_aide_db: true

# AIDE database file locations
rhel7stig_aide_temp_db_file: /var/lib/aide/aide.db.new.gz
rhel7stig_aide_db_file: /var/lib/aide/aide.db.gz

# RHEL-07-010483 & RHEL-07-010492
rhel7stig_grub_superusers: su_mode_superuser

# RHEL-07-020030 & RHEL-07-020040
rhel7stig_aide_cron:
    user: root
    cron_file: aide
    job: '/usr/sbin/aide --check'
    hour: '5'
    minute: '0'
    special_time: daily
    # Disable the notification check rule to disable mailing notifications
    notify_by_mail: "{{ rhel_07_020040 }}"
    notify_cmd: ' | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost'

rhel7stig_cron_special_disable: "{{
        rhel7stig_workaround_for_disa_benchmark or
        rhel7stig_workaround_for_ssg_benchmark or
        false }}"

rhel7stig_aide_conf:
    file: /etc/aide.conf

# Set maximum number of simultaneous system logins (RHEL-07-040000)
rhel7stig_maxlogins: 10

# Set the login banner settings
rhel7stig_logon_banner: "{{ rhel7stig_workaround_for_disa_benchmark | ternary(
        rhel7stig_logon_banner_nice | regex_replace('(?s)(?<!\\n)\\n(?!(\n|$))', ' '),
        rhel7stig_logon_banner_nice) }}"
rhel7stig_logon_banner_nice: |
    You are accessing a U.S. Government (USG) Information System (IS) that is
    provided for USG-authorized use only.

    By using this IS (which includes any device attached to this IS), you consent
    to the following conditions:

    -The USG routinely intercepts and monitors communications on this IS for
    purposes including, but not limited to, penetration testing, COMSEC monitoring,
    network operations and defense, personnel misconduct (PM), law enforcement
    (LE), and counterintelligence (CI) investigations.

    -At any time, the USG may inspect and seize data stored on this IS.

    -Communications using, or data stored on, this IS are not private, are subject
    to routine monitoring, interception, and search, and may be disclosed or used
    for any USG-authorized purpose.

    -This IS includes security measures (e.g., authentication and access controls)
    to protect USG interests--not for your personal benefit or privacy.

    -Notwithstanding the above, using this IS does not constitute consent to PM, LE
    or CI investigative searching or monitoring of the content of privileged
    communications, or work product, related to personal representation or services
    by attorneys, psychotherapists, or clergy, and their assistants. Such
    communications and work product are private and confidential. See User
    Agreement for details.

# Password complexity settings
rhel7stig_password_complexity:
    ucredit: -1
    lcredit: -1
    dcredit: -1
    ocredit: -1
    difok: 8
    minclass: 4
    maxrepeat: 3
    maxclassrepeat: 4
    minlen: 15

# RHEL-07-020022
# rhel7stig_ssh_sysadm_login_state is the state for the ssh_sysadmin_login boolean.
# The value False will set the value to off, which does not allow privileged accounts to utilize SSH
# The value True will set the value to on, which allows privileged accounts to utilize SSH
# To confrom to STIG requirements use the value of false
# If set to True this needs to be documented with your ISSO as an operational requirement to be STIG compliant
rhel7stig_ssh_sysadm_login_state: false

# RHEL-07-040160
# Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 15 = 900)
rhel7stig_shell_session_timeout:
    file: /etc/profile.d/tmout.sh
    timeout: 900

# RHEL-07-040320 | All network connections associated with SSH traffic must
# terminate at the end of the session or after 10 minutes of inactivity, except
# to fulfill documented and validated mission requirements.
# Timeout value is in seconds. (60 seconds * 10 = 600)
rhel7stig_ssh_session_timeout: 600

# RHEL-07-020260
# Configure regular automatic package updates using yum-cron
# update_cmd options:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix upgrade-minimal
# minimal-security                   = yum --security upgrade-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical upgrade-minimal
rhel7stig_auto_package_updates_enabled: false
rhel7stig_auto_package_updates:
    enabled: "{{ rhel7stig_auto_package_updates_enabled }}"
    update_cmd: "minimal-security"
    frequency: daily

# RHEL-07-020270
# If vsftpd is required, remove 'ftp' from rhel7stig_unnecessary_accounts.
#
# By default, files owned by removed users will be retained, but this may
# trigger RHEL-07-020320 (all files and directories must have a valid owner).
# Set rhel7stig_remove_unnecessary_user_files to true to remove old files,
# but this could remove files you intended to keep. And it's probably best to
# avoid removing 'dbus', 'nobody', 'systemd-network', and 'polkitd', as they all
# have home directories of '/' by default.
rhel7stig_unnecessary_accounts:
    - ftp
    - games
rhel7stig_remove_unnecessary_user_files: false

# RHEL-07-010270
# pam_pwhistory settings - Verify the operating system prohibits password reuse for a minimum of five generations.
rhel7stig_pam_pwhistory:
    remember: 5
    retries: 3

# RHEL-07-010320
# RHEL-07-010330
# pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes.
rhel7stig_pam_faillock:
    attempts: 3
    interval: 900
    unlock_time: 900
    fail_for_root: true

# RHEL-07-030320 and RHEL-07-030321
rhel7stig_audisp_disk_full_action: syslog
rhel7stig_audisp_network_failure_action: syslog

# RHEL-07-040670
# Network interface promiscuous mode setting will be disabled unless set to true
rhel7stig_net_promisc_mode_required: false

# /etc/login.defs settings
# RHEL-07-010210
# RHEL-07-010230
# RHEL-07-010250
# RHEL-07-010430
# RHEL-07-020240
# RHEL-07-020610
rhel7stig_login_defaults:
    encrypt_method: SHA512
    pass_min_days: 1
    pass_max_days: 60
    fail_delay_secs: 4
    umask: '077'
    create_home: 'yes'

# Default value - if control is enabled this will run for the valid controls.
update_audit_template: false

# RHEL-07-030300 uncomment and set the value to a remote IP address that can receive audit logs
# rhel7stig_audisp_remote_server: 10.10.10.10

# RHEL-07-030350
rhel7stig_audit_daemon: auditd
rhel7stig_auditd_mail_acct: root

# RHEL-07-020630
rhel7stig_homedir_mode: g-w,o-rwx

# RHEL-07-031000
# rhel7stig_log_aggregation_server: logagg.example.com
# Log aggregation port can be set the following '@'=UDP and '@@'=TCP
# rhel7stig_log_aggregation_port: '@@'

# RHEL-07-040180
# Whether the system should be using LDAP for authentication
rhel7stig_auth_settings:
    use_ldap: true
    use_sssd: true

# RHEL-07-040820
rhel7stig_ipsec_required: false

# RHEL-07-010340
# Setting to enable or disable fixes that depend on password-based authentication
# i.e. if users authenticate with a means other than passwords (pubkey)
# and will not know or use passwords then this should be 'false'
rhel7stig_using_password_auth: true

rhel7stig_availability_override: false
# # auditd_failure_flag
# # 2    Tells your system to perform an immediate shutdown without
# #      flushing any pending data to disk when the limits of your
# #      audit system are exceeded. Because this shutdown is not a clean shutdown.
# #      restrict the use of -f 2 to only the most security conscious environments
# # 1    System continues to run, issues a warning and audit stops.
# #      Use this for any other setup to avoid loss of data or data corruption.
rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, 2) }}"

rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}"

rhel7stig_boot_part: /boot

rhel7stig_legacy_boot_path: '/boot/grub2/'
rhel7stig_efi_boot_path: '/boot/efi/EFI/'

# rhel7stig_machine_uses_uefi: "{{ rhel_07_sys_firmware_efi.stat.exists }}"
# rhel7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary(rhel7stig_bootloader_path'/grub.cfg', '/boot/grub2/grub.cfg') }}"
# rhel7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"

# oracle7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}"
# oracle7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}"

rhel7stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"

# DNS Servers to configure, you need two to conform to STIG standards
rhel_07_040600_dns_servers:
    - 9.9.9.9
    - 149.112.112.112

# The GID start point for interactive (non-system) users
rhel7stig_int_gid: 1000

# Control OL-07-040510
# Sets the invalid rate limit for IPv4 connections. Should be set to less than 1000 to conform to STIG standards
ol7stig_ipv4_tcp_invalid_ratelimit: 500

# Control RHEL-07-021031
# This control sets all world writable files to be owned by root. To conform to STIG standard all world-writable files must be owned by root or another system account
# With this toggle off it will list all world-writable files not owned by system accounts
rhel7stig_world_write_files_owner_root: false

# RHEL-07-010343
# The value given to Defaults timestamp timeout= in the sudo file.
# Value must be greater than 0 to conform to STIG standards
rhel7stig_sudo_timestamp_timeout: 1