-
Notifications
You must be signed in to change notification settings - Fork 144
/
main.yml
765 lines (667 loc) · 24.9 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
---
## STIG category to run
rhel7stig_cat1_patch: true
rhel7stig_cat2_patch: true
rhel7stig_cat3_patch: true
## Python Binary
## This is used for python3 Installations where python2 OS modules are used in ansible
python2_bin: /bin/python2.7
## Benchmark name used by auditing control role
# audit variable found at the base
benchmark: RHEL7-STIG
## metadata for Audit benchmark
benchmark_version: 'v3r14'
# Whether to skip the reboot
rhel7stig_skip_reboot: true
# With CentOS being EoL many mirrors no longer exist and fail for updates
# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo
# It will add the new vaulted location where it is possible to get updates and package
rhel7stig_add_updated_repo: false
###########################################
### Goss is required on the remote host ###
### vars/auditd.yml for other settings ###
# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
setup_audit: false
# enable audits to run - this runs the audit and get the latest content
run_audit: false
# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true
## Only run Audit do not remediate
audit_only: false
### As part of audit_only ###
# This will enable files to be copied back to control node in audit_only mode
fetch_audit_files: false
# Path to copy the files to will create dir structure in audit_only mode
audit_capture_files_dir: /some/location to copy to on control node
#############################
# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
get_audit_binary_method: download
## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path
# how to get audit files onto host options
# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
audit_content: git
# If using either archive, copy, get_url:
## Note will work with .tar files - zip will require extra configuration
### If using get_url this is expecting github url in tar.gz format e.g.
### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
audit_conf_source: "some path or url to copy from"
# Destination for the audit content to be placed on managed node
# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
audit_conf_dest: "/opt"
# Where the audit logs are stored
audit_log_dir: '/opt'
### Goss Settings ##
####### END ########
#### Detailed settings found at the end of this document ####
# We've defined complexity-high to mean that we cannot automatically remediate
# the rule in question. In the future this might mean that the remediation
# may fail in some cases.
rhel7stig_complexity_high: false
# Show "changed" for complex items not remediated per complexity-high setting
# to make them stand out. "changed" items on a second run of the role would
# indicate items requiring manual review.
rhel7stig_audit_complex: true
# We've defined disruption-high to indicate items that are likely to cause
# disruption in a normal workflow. These items can be remediated automatically
# but are disabled by default to avoid disruption.
rhel7stig_disruption_high: false
# Show "changed" for disruptive items not remediated per disruption-high
# setting to make them stand out.
rhel7stig_audit_disruptive: true
# Skip controls that conflict with travis environments
rhel7stig_skip_for_travis: false
rhel7stig_workaround_for_disa_benchmark: true
rhel7stig_workaround_for_ssg_benchmark: true
# tweak role to run in a chroot, such as in kickstart %post script
rhel7stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"
# tweak role to run in a non-privileged container
rhel7stig_system_is_container: false
# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
# in order for the variables below to take effect.
# CAT 1 rules
rhel_07_010010: true
rhel_07_010020: true
rhel_07_010290: true
rhel_07_010291: true
rhel_07_010300: true
rhel_07_010440: true
rhel_07_010450: true
# possibly removed
# rhel_07_010480: true
rhel_07_010482: true
# possibly removed
# rhel_07_010490: true
rhel_07_010491: true
rhel_07_020000: true
rhel_07_020010: true
rhel_07_020050: true
rhel_07_020060: true
rhel_07_020230: true
rhel_07_020231: true
# not an automated task
rhel_07_020250: true
rhel_07_020310: true
rhel_07_021350: true
rhel_07_021710: true
rhel_07_032000: true
rhel_07_040390: true
rhel_07_040540: true
rhel_07_040550: true
rhel_07_040690: true
rhel_07_040700: true
rhel_07_040800: true
# CAT 2 rules
rhel_07_010019: true
rhel_07_010030: "{{ rhel7stig_gui }}"
rhel_07_010040: "{{ rhel7stig_gui }}"
rhel_07_010050: true
rhel_07_010060: "{{ rhel7stig_gui }}"
rhel_07_010061: "{{ rhel7stig_gui }}"
rhel_07_010062: "{{ rhel7stig_gui }}"
rhel_07_010063: "{{ rhel7stig_gui }}"
rhel_07_010070: "{{ rhel7stig_gui }}"
rhel_07_010081: "{{ rhel7stig_gui }}"
rhel_07_010082: "{{ rhel7stig_gui }}"
rhel_07_010090: true
rhel_07_010100: "{{ rhel7stig_gui }}"
rhel_07_010101: "{{ rhel7stig_gui }}"
rhel_07_010110: "{{ rhel7stig_gui }}"
rhel_07_010118: true
rhel_07_010119: true
rhel_07_010120: true
rhel_07_010130: true
rhel_07_010140: true
rhel_07_010150: true
rhel_07_010160: true
rhel_07_010170: true
rhel_07_010180: true
rhel_07_010190: true
rhel_07_010199: true
rhel_07_010200: true
rhel_07_010210: true
rhel_07_010220: true
rhel_07_010230: true
rhel_07_010240: true
rhel_07_010250: true
rhel_07_010260: true
rhel_07_010270: true
rhel_07_010271: true
rhel_07_010280: true
rhel_07_010310: true
rhel_07_010320: true
rhel_07_010330: true
rhel_07_010339: true
rhel_07_010340: true
rhel_07_010341: true
rhel_07_010342: true
rhel_07_010343: true
rhel_07_010344: true
rhel_07_010350: true
rhel_07_010430: true
rhel_07_010460: true
rhel_07_010470: true
rhel_07_010481: true
rhel_07_010483: true
rhel_07_010492: true
rhel_07_010500: true
rhel_07_020019: true
rhel_07_020020: true
rhel_07_020021: true
rhel_07_020022: true
rhel_07_020023: true
rhel_07_020028: true # Is required for 20030 &20040
rhel_07_020029: true
rhel_07_020030: true
# Send AIDE reports as mail notifications - Disabled by default as this is a non-ideal way to do notifications
rhel_07_020040: "{{ rhel7stig_disruption_high }}"
rhel_07_020100: true
rhel_07_020101: true
rhel_07_020110: true
rhel_07_020111: true
rhel_07_020210: true
rhel_07_020220: true
rhel_07_020240: true
rhel_07_020260: true
rhel_07_020270: true
rhel_07_020320: true
rhel_07_020330: true
rhel_07_020600: true
rhel_07_020610: true
rhel_07_020620: true
rhel_07_020630: true
rhel_07_020640: true
rhel_07_020650: true
rhel_07_020660: true
rhel_07_020670: true
rhel_07_020680: true
rhel_07_020690: true
rhel_07_020700: true
rhel_07_020710: true
rhel_07_020720: true
rhel_07_020730: true
rhel_07_020900: true
rhel_07_021000: true
rhel_07_021010: true
rhel_07_021020: true
rhel_07_021021: true
rhel_07_021030: true
rhel_07_021031: true
rhel_07_021040: true
rhel_07_021100: true
rhel_07_021110: true
rhel_07_021120: true
rhel_07_021300: true
rhel_07_021620: true
rhel_07_021700: true
rhel_07_030000: true
rhel_07_030010: true
rhel_07_030201: true
rhel_07_030210: true
rhel_07_030211: true
# if you set 030300 to 'true' ensure you define rhel7stig_audisp_remote_server
rhel_07_030300: "{{ rhel7stig_audisp_remote_server is defined }}"
rhel_07_030310: true
rhel_07_030320: true
rhel_07_030321: true
rhel_07_030330: true
rhel_07_030340: true
rhel_07_030350: true
rhel_07_030360: true
rhel_07_030370: true
rhel_07_030410: true
rhel_07_030440: true
rhel_07_030510: true
rhel_07_030560: true
rhel_07_030570: true
rhel_07_030580: true
rhel_07_030590: true
rhel_07_030610: true
rhel_07_030620: true
rhel_07_030630: true
rhel_07_030640: true
rhel_07_030650: true
rhel_07_030660: true
rhel_07_030670: true
rhel_07_030680: true
rhel_07_030690: true
rhel_07_030700: true
rhel_07_030710: true
rhel_07_030720: true
rhel_07_030740: true
rhel_07_030750: true
rhel_07_030760: true
rhel_07_030770: true
rhel_07_030780: true
rhel_07_030800: true
rhel_07_030810: true
rhel_07_030819: true
rhel_07_030820: true
rhel_07_030821: true
rhel_07_030830: true
rhel_07_030840: true
rhel_07_030870: true
rhel_07_030871: true
rhel_07_030872: true
rhel_07_030873: true
rhel_07_030874: true
rhel_07_030880: true
rhel_07_030890: true
rhel_07_030900: true
rhel_07_030910: true
rhel_07_030920: true
rhel_07_031000: true
rhel_07_031010: true
rhel_07_040100: true
rhel_07_040110: true
rhel_07_040160: true
rhel_07_040170: true
rhel_07_040180: true
rhel_07_040190: true
rhel_07_040200: true
rhel_07_040201: true
rhel_07_040300: true
rhel_07_040310: true
rhel_07_040320: true
rhel_07_040330: true
rhel_07_040340: true
rhel_07_040350: true
rhel_07_040360: true
rhel_07_040370: true
rhel_07_040380: true
rhel_07_040400: true
rhel_07_040410: true
rhel_07_040420: true
rhel_07_040430: true
rhel_07_040440: true
rhel_07_040450: true
rhel_07_040460: true
rhel_07_040470: true
rhel_07_040500: true
rhel_07_040520: true
rhel_07_040610: true
rhel_07_040611: true
rhel_07_040612: true
rhel_07_040620: true
rhel_07_040630: true
rhel_07_040640: true
rhel_07_040641: true
rhel_07_040650: true
rhel_07_040660: true
rhel_07_040670: true
rhel_07_040680: true
rhel_07_040710: true
rhel_07_040711: true
rhel_07_040712: true
rhel_07_040720: true
rhel_07_040730: true
rhel_07_040740: true
rhel_07_040750: true
rhel_07_040810: true
rhel_07_040820: true
rhel_07_040830: true
rhel_07_041001: true
rhel_07_041002: true
rhel_07_041003: true
rhel_07_041010: true
rhel_07_910055: true
# CAT 3 rules
rhel_07_010375: true
rhel_07_020200: true
rhel_07_020300: true
rhel_07_021024: true
rhel_07_021310: true
rhel_07_021320: true
rhel_07_021330: true
rhel_07_021340: true
rhel_07_021600: true
rhel_07_021610: true
rhel_07_040000: true
rhel_07_040530: true
rhel_07_040600: true
# Whether or not to run tasks related to auditing/patching the desktop environment - is discovered if using gnome
rhel7stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}"
# Whether to configure dconf rules unconditionally (ignoring presence of dconf
# or rhel7stig_gui)
rhel7stig_always_configure_dconf: false
# Whether or not to run tasks related to smart card authentication enforcement
rhel7stig_smartcard: false
# Configure your smartcard driver
rhel7stig_smartcarddriver: cackey
# RHEL_07_010310
# Must be 35 or less but not 0 or -1
rhel_07_010310_inactive: 35
# RHEL_07_020020
# Set "selinux_change_users" false to disable this control's actions and just report results.
# You will need to adjust the paths for installed HIPS/HBSS for this control.
# You will need to map both the local interactive and LDAP groups to map selinux user groups to.
# If LDAP is not in use, it will ignore the settings below and not attempt to map LDAP users.
rhel_07_020020_selinux_change_users: true
rhel_07_020020_hbbs_path: /opt/McAfee/Agent/bin
rhel_07_020020_hips_path: /opt/McAfee/Agent/bin
rhel_07_020020_selinux_ldap_maps: false
# rhel_07_020020_selinux_local_interactive_admin_group: wheel
rhel_07_020020_selinux_local_interactive_users_group: users
rhel_07_020020_selinux_local_interactive_staff_group: staff
# RHEL-07-020710
# Set standard user paths here
# Also set whether we should automatically remediate paths in user ini files.
rhel_07_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
rhel7stig_change_user_path: false
# RHEL-07-020730
# Do we change world-writable executable programs to mode 0755?
rhel_07_020730_wwp_change: true
# RHEL-07-020250
# This is a check for a "supported release"
# These are the minimum supported releases.
# (Red Hat has support for older versions if you pay extra for it.)
rhel7stig_min_supported_os_ver:
RedHat: "7.9"
CentOS: "7.9"
OracleLinux: "7.9"
# RHEL-07-040740
# If system is not router, run tasks that disable router functions.
rhel7stig_system_is_router: false
# RHEL-07-032000
# Install and enable a DOD-approved AV program. ClamAV and McAfee (nails)
# are the currently approved applications. This variable is used in two separate
# tasks that will install the package and start and enable the service.
# Only set this to true if you have a valid
# antivirus solution in your repositories, else it will fail every time.
rhel7stig_antivirus_required: false
rhel7stig_av_package:
package:
- clamav
- clamav-update
- clamd
service: clamd
rhel7stig_time_service: chronyd
rhel7stig_time_service_configs:
chronyd:
conf: /etc/chrony.conf
block: |
server 0.rhel.pool.ntp.org iburst maxpoll 10
server 1.rhel.pool.ntp.org iburst maxpoll 10
server 2.rhel.pool.ntp.org iburst maxpoll 10
server 3.rhel.pool.ntp.org iburst maxpoll 10
ntpd:
conf: /etc/ntp.conf
lines:
- regexp: ^#?maxpoll
line: maxpoll 10
# The firewall to be used
rhel7stig_firewall_service: firewalld
# The toggle to start the firewall service. Set to true the role will start the service for you where needed
rhel7stig_start_firewall_service: true
# allowed firewall ports and protocols as found in the command used to discover
rhel7stig_firewall_ports_protocols:
- '22/tcp'
- '546/udp'
# RHEL-07-031010
rhel7stig_system_is_log_aggregator: false
rhel7stig_use_fips: true
fips_value: '0'
rhel7stig_fips_ciphers: aes256-ctr,aes192-ctr,aes128-ctr
rhel7stig_fips_macs: hmac-sha2-512,hmac-sha2-256
rhel7stig_fips_kex: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
# RHEL-07-040300
# RHEL-07-040310
# Install and enable ssh on networked systems
rhel7stig_ssh_required: true
rhel7stig_ssh_ciphers: "{{ rhel7stig_fips_ciphers }}"
rhel7stig_ssh_macs: "{{ rhel7stig_fips_macs }}"
rhel7stig_ssh_kex: "{{ rhel7stig_fips_kex }}"
# RHEL-07-040490
# If not required, remove vsftpd.
rhel7stig_vsftpd_required: false
# RHEL-07-040500
# If not required, remove tftp
rhel7stig_tftp_required: false
# Service configuration booleans set true to keep service
rhel7stig_autofs_required: false
rhel7stig_kdump_required: false
# RHEL-07-040580
# Set the SNMP community string to this from the default of public or private
rhel7stig_snmp_community: Endgam3Ladyb0g
# whether to force role-specified packages to be installed regardless of the
# presence of another compliant equivalent
rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}"
# RHEL-07-010480 and RHEL-07-010490
# Password protect the boot loader
rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
rhel7stig_boot_superuser: root
# RHEL-07-021700 set the value for correctly configured grub bootloader sequence
# note this is different for bios and EFI boot types. so can be changed via the inventory or alternate vars
rhel7stig_grub_bootloader_validorder: "set root='hd0,1'"
# RHEL-07-040200 Path for cacrt bundle that holds LDAP certs for tls transport
rhel_07_040200_cabundle_path: etc/pki/tls/certs/ca-bundle.crt
# AIDE settings
# Set to false for fire and forget mode
rhel7stig_wait_for_aide_init: true
rhel7stig_aide_handler: "{{ (rhel7stig_wait_for_aide_init) | ternary('init aide and wait','init aide') }}"
# Set to false to not overwrite an existing AIDE DB
rhel7stig_overwrite_aide_db: true
# AIDE database file locations
rhel7stig_aide_temp_db_file: /var/lib/aide/aide.db.new.gz
rhel7stig_aide_db_file: /var/lib/aide/aide.db.gz
# RHEL-07-010483 & RHEL-07-010492
rhel7stig_grub_superusers: su_mode_superuser
# RHEL-07-020030 & RHEL-07-020040
rhel7stig_aide_cron:
user: root
cron_file: aide
job: '/usr/sbin/aide --check'
hour: '5'
minute: '0'
special_time: daily
# Disable the notification check rule to disable mailing notifications
notify_by_mail: "{{ rhel_07_020040 }}"
notify_cmd: ' | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost'
rhel7stig_cron_special_disable: "{{
rhel7stig_workaround_for_disa_benchmark or
rhel7stig_workaround_for_ssg_benchmark or
false }}"
rhel7stig_aide_conf:
file: /etc/aide.conf
# Set maximum number of simultaneous system logins (RHEL-07-040000)
rhel7stig_maxlogins: 10
# Set the login banner settings
rhel7stig_logon_banner: "{{ rhel7stig_workaround_for_disa_benchmark | ternary(
rhel7stig_logon_banner_nice | regex_replace('(?s)(?<!\\n)\\n(?!(\n|$))', ' '),
rhel7stig_logon_banner_nice) }}"
rhel7stig_logon_banner_nice: |
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent
to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,
network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE
or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services
by attorneys, psychotherapists, or clergy, and their assistants. Such
communications and work product are private and confidential. See User
Agreement for details.
# Password complexity settings
rhel7stig_password_complexity:
ucredit: -1
lcredit: -1
dcredit: -1
ocredit: -1
difok: 8
minclass: 4
maxrepeat: 3
maxclassrepeat: 4
minlen: 15
# RHEL-07-020022
# rhel7stig_ssh_sysadm_login_state is the state for the ssh_sysadmin_login boolean.
# The value False will set the value to off, which does not allow privileged accounts to utilize SSH
# The value True will set the value to on, which allows privileged accounts to utilize SSH
# To confrom to STIG requirements use the value of false
# If set to True this needs to be documented with your ISSO as an operational requirement to be STIG compliant
rhel7stig_ssh_sysadm_login_state: false
# RHEL-07-040160
# Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 15 = 900)
rhel7stig_shell_session_timeout:
file: /etc/profile.d/tmout.sh
timeout: 900
# RHEL-07-040320 | All network connections associated with SSH traffic must
# terminate at the end of the session or after 10 minutes of inactivity, except
# to fulfill documented and validated mission requirements.
# Timeout value is in seconds. (60 seconds * 10 = 600)
rhel7stig_ssh_session_timeout: 600
# RHEL-07-020260
# Configure regular automatic package updates using yum-cron
# update_cmd options:
# default = yum upgrade
# security = yum --security upgrade
# security-severity:Critical = yum --sec-severity=Critical upgrade
# minimal = yum --bugfix upgrade-minimal
# minimal-security = yum --security upgrade-minimal
# minimal-security-severity:Critical = --sec-severity=Critical upgrade-minimal
rhel7stig_auto_package_updates_enabled: false
rhel7stig_auto_package_updates:
enabled: "{{ rhel7stig_auto_package_updates_enabled }}"
update_cmd: "minimal-security"
frequency: daily
# RHEL-07-020270
# If vsftpd is required, remove 'ftp' from rhel7stig_unnecessary_accounts.
#
# By default, files owned by removed users will be retained, but this may
# trigger RHEL-07-020320 (all files and directories must have a valid owner).
# Set rhel7stig_remove_unnecessary_user_files to true to remove old files,
# but this could remove files you intended to keep. And it's probably best to
# avoid removing 'dbus', 'nobody', 'systemd-network', and 'polkitd', as they all
# have home directories of '/' by default.
rhel7stig_unnecessary_accounts:
- ftp
- games
rhel7stig_remove_unnecessary_user_files: false
# RHEL-07-010270
# pam_pwhistory settings - Verify the operating system prohibits password reuse for a minimum of five generations.
rhel7stig_pam_pwhistory:
remember: 5
retries: 3
# RHEL-07-010320
# RHEL-07-010330
# pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes.
rhel7stig_pam_faillock:
attempts: 3
interval: 900
unlock_time: 900
fail_for_root: true
# RHEL-07-030320 and RHEL-07-030321
rhel7stig_audisp_disk_full_action: syslog
rhel7stig_audisp_network_failure_action: syslog
# RHEL-07-040670
# Network interface promiscuous mode setting will be disabled unless set to true
rhel7stig_net_promisc_mode_required: false
# /etc/login.defs settings
# RHEL-07-010210
# RHEL-07-010230
# RHEL-07-010250
# RHEL-07-010430
# RHEL-07-020240
# RHEL-07-020610
rhel7stig_login_defaults:
encrypt_method: SHA512
pass_min_days: 1
pass_max_days: 60
fail_delay_secs: 4
umask: '077'
create_home: 'yes'
# Default value - if control is enabled this will run for the valid controls.
update_audit_template: false
# RHEL-07-030300 uncomment and set the value to a remote IP address that can receive audit logs
# rhel7stig_audisp_remote_server: 10.10.10.10
# RHEL-07-030350
rhel7stig_audit_daemon: auditd
rhel7stig_auditd_mail_acct: root
# RHEL-07-020630
rhel7stig_homedir_mode: g-w,o-rwx
# RHEL-07-031000
# rhel7stig_log_aggregation_server: logagg.example.com
# Log aggregation port can be set the following '@'=UDP and '@@'=TCP
# rhel7stig_log_aggregation_port: '@@'
# RHEL-07-040180
# Whether the system should be using LDAP for authentication
rhel7stig_auth_settings:
use_ldap: true
use_sssd: true
# RHEL-07-040820
rhel7stig_ipsec_required: false
# RHEL-07-010340
# Setting to enable or disable fixes that depend on password-based authentication
# i.e. if users authenticate with a means other than passwords (pubkey)
# and will not know or use passwords then this should be 'false'
rhel7stig_using_password_auth: true
rhel7stig_availability_override: false
# # auditd_failure_flag
# # 2 Tells your system to perform an immediate shutdown without
# # flushing any pending data to disk when the limits of your
# # audit system are exceeded. Because this shutdown is not a clean shutdown.
# # restrict the use of -f 2 to only the most security conscious environments
# # 1 System continues to run, issues a warning and audit stops.
# # Use this for any other setup to avoid loss of data or data corruption.
rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, 2) }}"
rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}"
rhel7stig_boot_part: /boot
rhel7stig_legacy_boot_path: '/boot/grub2/'
rhel7stig_efi_boot_path: '/boot/efi/EFI/'
# rhel7stig_machine_uses_uefi: "{{ rhel_07_sys_firmware_efi.stat.exists }}"
# rhel7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary(rhel7stig_bootloader_path'/grub.cfg', '/boot/grub2/grub.cfg') }}"
# rhel7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
# oracle7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}"
# oracle7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}"
rhel7stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
# DNS Servers to configure, you need two to conform to STIG standards
rhel_07_040600_dns_servers:
- 9.9.9.9
- 149.112.112.112
# The GID start point for interactive (non-system) users
rhel7stig_int_gid: 1000
# Control OL-07-040510
# Sets the invalid rate limit for IPv4 connections. Should be set to less than 1000 to conform to STIG standards
ol7stig_ipv4_tcp_invalid_ratelimit: 500
# Control RHEL-07-021031
# This control sets all world writable files to be owned by root. To conform to STIG standard all world-writable files must be owned by root or another system account
# With this toggle off it will list all world-writable files not owned by system accounts
rhel7stig_world_write_files_owner_root: false
# RHEL-07-010343
# The value given to Defaults timestamp timeout= in the sudo file.
# Value must be greater than 0 to conform to STIG standards
rhel7stig_sudo_timestamp_timeout: 1