-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.yml
304 lines (304 loc) · 10.8 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
---
# defaults file for rhel9_anssi_bp28_intermediary
var_authselect_profile: minimal
var_password_pam_unix_remember: '2'
var_accounts_passwords_pam_faillock_deny: '3'
var_accounts_passwords_pam_faillock_fail_interval: '900'
var_accounts_passwords_pam_faillock_unlock_time: '900'
var_password_pam_dcredit: '-1'
var_password_pam_lcredit: '-1'
var_password_pam_minlen: '18'
var_password_pam_ocredit: '-1'
var_password_pam_ucredit: '-1'
var_accounts_maximum_age_login_defs: '90'
var_accounts_password_minlen_login_defs: '18'
var_password_pam_unix_rounds: '65536'
var_accounts_tmout: '600'
var_l1tf_options: full,force
var_mds_options: full,nosmt
var_rng_core_default_quality: '500'
var_spec_store_bypass_disable_options: seccomp
sysctl_net_ipv6_conf_all_accept_ra_defrtr_value: '0'
sysctl_net_ipv6_conf_all_accept_ra_pinfo_value: '0'
sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value: '0'
sysctl_net_ipv6_conf_all_accept_redirects_value: '0'
sysctl_net_ipv6_conf_all_accept_source_route_value: '0'
sysctl_net_ipv6_conf_all_autoconf_value: '0'
sysctl_net_ipv6_conf_all_max_addresses_value: '1'
sysctl_net_ipv6_conf_all_router_solicitations_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_defrtr_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_pinfo_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value: '0'
sysctl_net_ipv6_conf_default_accept_redirects_value: '0'
sysctl_net_ipv6_conf_default_accept_source_route_value: '0'
sysctl_net_ipv6_conf_default_autoconf_value: '0'
sysctl_net_ipv6_conf_default_max_addresses_value: '1'
sysctl_net_ipv6_conf_default_router_solicitations_value: '0'
sysctl_net_ipv4_conf_all_accept_redirects_value: '0'
sysctl_net_ipv4_conf_all_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_arp_filter_value: '0'
sysctl_net_ipv4_conf_all_arp_ignore_value: '2'
sysctl_net_ipv4_conf_all_rp_filter_value: '1'
sysctl_net_ipv4_conf_all_secure_redirects_value: '0'
sysctl_net_ipv4_conf_all_shared_media_value: '0'
sysctl_net_ipv4_conf_default_accept_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_default_rp_filter_value: '1'
sysctl_net_ipv4_conf_default_secure_redirects_value: '0'
sysctl_net_ipv4_conf_default_shared_media_value: '0'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
sysctl_net_ipv4_tcp_rfc1337_value: '1'
sysctl_net_ipv4_tcp_syncookies_value: '1'
sysctl_kernel_kptr_restrict_value: '2'
var_slub_debug_options: FZP
var_selinux_state: enforcing
var_polyinstantiation_enabled: 'true'
var_postfix_root_mail_alias: change_me@localhost
var_postfix_inet_interfaces: loopback-only
var_sshd_set_keepalive: '0'
sshd_idle_timeout_value: '600'
DISA_STIG_RHEL_09_211015: true
DISA_STIG_RHEL_09_212040: true
DISA_STIG_RHEL_09_212045: true
DISA_STIG_RHEL_09_212050: true
DISA_STIG_RHEL_09_213010: true
DISA_STIG_RHEL_09_213015: true
DISA_STIG_RHEL_09_213025: true
DISA_STIG_RHEL_09_213030: true
DISA_STIG_RHEL_09_213035: true
DISA_STIG_RHEL_09_213070: true
DISA_STIG_RHEL_09_213075: true
DISA_STIG_RHEL_09_213080: true
DISA_STIG_RHEL_09_214010: true
DISA_STIG_RHEL_09_214015: true
DISA_STIG_RHEL_09_214020: true
DISA_STIG_RHEL_09_214025: true
DISA_STIG_RHEL_09_215020: true
DISA_STIG_RHEL_09_215030: true
DISA_STIG_RHEL_09_215035: true
DISA_STIG_RHEL_09_215040: true
DISA_STIG_RHEL_09_215060: true
DISA_STIG_RHEL_09_231050: true
DISA_STIG_RHEL_09_231055: true
DISA_STIG_RHEL_09_231100: true
DISA_STIG_RHEL_09_231130: true
DISA_STIG_RHEL_09_231135: true
DISA_STIG_RHEL_09_231150: true
DISA_STIG_RHEL_09_231155: true
DISA_STIG_RHEL_09_231180: true
DISA_STIG_RHEL_09_231185: true
DISA_STIG_RHEL_09_231200: true
DISA_STIG_RHEL_09_232055: true
DISA_STIG_RHEL_09_232065: true
DISA_STIG_RHEL_09_232075: true
DISA_STIG_RHEL_09_232110: true
DISA_STIG_RHEL_09_232150: true
DISA_STIG_RHEL_09_232240: true
DISA_STIG_RHEL_09_232245: true
DISA_STIG_RHEL_09_232270: true
DISA_STIG_RHEL_09_251045: true
DISA_STIG_RHEL_09_253010: true
DISA_STIG_RHEL_09_253015: true
DISA_STIG_RHEL_09_253020: true
DISA_STIG_RHEL_09_253035: true
DISA_STIG_RHEL_09_253040: true
DISA_STIG_RHEL_09_253045: true
DISA_STIG_RHEL_09_253050: true
DISA_STIG_RHEL_09_253060: true
DISA_STIG_RHEL_09_253065: true
DISA_STIG_RHEL_09_253070: true
DISA_STIG_RHEL_09_254015: true
DISA_STIG_RHEL_09_254020: true
DISA_STIG_RHEL_09_254035: true
DISA_STIG_RHEL_09_254040: true
DISA_STIG_RHEL_09_255045: true
DISA_STIG_RHEL_09_255095: true
DISA_STIG_RHEL_09_255100: true
DISA_STIG_RHEL_09_255120: true
DISA_STIG_RHEL_09_411010: true
DISA_STIG_RHEL_09_411075: true
DISA_STIG_RHEL_09_411080: true
DISA_STIG_RHEL_09_411085: true
DISA_STIG_RHEL_09_411090: true
DISA_STIG_RHEL_09_412035: true
DISA_STIG_RHEL_09_431010: true
DISA_STIG_RHEL_09_432010: true
DISA_STIG_RHEL_09_432025: true
DISA_STIG_RHEL_09_611050: true
DISA_STIG_RHEL_09_611055: true
DISA_STIG_RHEL_09_611065: true
DISA_STIG_RHEL_09_611070: true
DISA_STIG_RHEL_09_611085: true
DISA_STIG_RHEL_09_611090: true
DISA_STIG_RHEL_09_611095: true
DISA_STIG_RHEL_09_611100: true
DISA_STIG_RHEL_09_611110: true
DISA_STIG_RHEL_09_651010: true
DISA_STIG_RHEL_09_653010: true
DISA_STIG_RHEL_09_653015: true
DISA_STIG_RHEL_09_653125: true
DISA_STIG_RHEL_09_654150: true
accounts_maximum_age_login_defs: true
accounts_password_minlen_login_defs: true
accounts_password_pam_dcredit: true
accounts_password_pam_lcredit: true
accounts_password_pam_minlen: true
accounts_password_pam_ocredit: true
accounts_password_pam_ucredit: true
accounts_password_pam_unix_remember: true
accounts_password_pam_unix_rounds_password_auth: true
accounts_password_pam_unix_rounds_system_auth: true
accounts_passwords_pam_faillock_deny: true
accounts_passwords_pam_faillock_deny_root: true
accounts_passwords_pam_faillock_interval: true
accounts_passwords_pam_faillock_unlock_time: true
accounts_tmout: true
aide_build_database: true
audit_rules_privileged_commands_sudo: true
configure_strategy: true
dir_perms_world_writable_root_owned: true
dir_perms_world_writable_sticky_bits: true
disable_strategy: true
enable_authselect: true
enable_strategy: true
ensure_gpgcheck_globally_activated: true
ensure_gpgcheck_local_packages: true
ensure_gpgcheck_never_disabled: true
ensure_redhat_gpgkey_installed: true
file_owner_etc_gshadow: true
file_owner_etc_shadow: true
file_permissions_etc_group: true
file_permissions_etc_gshadow: true
file_permissions_etc_passwd: true
file_permissions_etc_shadow: true
file_permissions_sshd_private_key: true
grub2_l1tf_argument: true
grub2_mce_argument: true
grub2_mds_argument: true
grub2_page_alloc_shuffle_argument: true
grub2_page_poison_argument: true
grub2_pti_argument: true
grub2_rng_core_default_quality_argument: true
grub2_slab_nomerge_argument: true
grub2_slub_debug_argument: true
grub2_spec_store_bypass_disable_argument: true
grub2_spectre_v2_argument: true
high_disruption: true
high_severity: true
low_complexity: true
low_disruption: true
low_severity: true
medium_complexity: true
medium_disruption: true
medium_severity: true
mount_option_boot_noexec: true
mount_option_boot_nosuid: true
mount_option_home_noexec: true
mount_option_home_nosuid: true
mount_option_nodev_nonroot_local_partitions: true
mount_option_opt_nosuid: true
mount_option_srv_nosuid: true
mount_option_tmp_noexec: true
mount_option_tmp_nosuid: true
mount_option_var_log_noexec: true
mount_option_var_log_nosuid: true
mount_option_var_noexec: true
mount_option_var_nosuid: true
mount_option_var_tmp_noexec: true
mount_option_var_tmp_nosuid: true
no_direct_root_logins: true
no_reboot_needed: true
package_aide_installed: true
package_audit_installed: true
package_dhcp_removed: true
package_dnf_automatic_installed: true
package_rsh_removed: true
package_rsh_server_removed: true
package_sendmail_removed: true
package_sudo_installed: true
package_talk_removed: true
package_talk_server_removed: true
package_telnet_removed: true
package_telnet_server_removed: true
package_tftp_removed: true
package_tftp_server_removed: true
package_xinetd_removed: true
package_ypbind_removed: true
package_ypserv_removed: true
patch_strategy: true
postfix_client_configure_mail_alias: true
postfix_network_listening_disabled: true
reboot_required: true
restrict_strategy: true
sebool_polyinstantiation_enabled: true
security_patches_up_to_date: true
selinux_state: true
service_auditd_enabled: true
set_password_hashing_algorithm_systemauth: true
skip_ansible_lint: true
sshd_disable_root_login: true
sshd_set_idle_timeout: true
sshd_set_keepalive: true
sudo_add_noexec: true
sudo_add_requiretty: true
sudo_add_use_pty: true
sudo_remove_no_authenticate: true
sudo_remove_nopasswd: true
sysctl_fs_protected_fifos: true
sysctl_fs_protected_hardlinks: true
sysctl_fs_protected_regular: true
sysctl_fs_protected_symlinks: true
sysctl_fs_suid_dumpable: true
sysctl_kernel_dmesg_restrict: true
sysctl_kernel_kptr_restrict: true
sysctl_kernel_panic_on_oops: true
sysctl_kernel_perf_cpu_time_max_percent: true
sysctl_kernel_perf_event_max_sample_rate: true
sysctl_kernel_perf_event_paranoid: true
sysctl_kernel_pid_max: true
sysctl_kernel_randomize_va_space: true
sysctl_kernel_sysrq: true
sysctl_kernel_unprivileged_bpf_disabled: true
sysctl_kernel_yama_ptrace_scope: true
sysctl_net_core_bpf_jit_harden: true
sysctl_net_ipv4_conf_all_accept_local: true
sysctl_net_ipv4_conf_all_accept_redirects: true
sysctl_net_ipv4_conf_all_accept_source_route: true
sysctl_net_ipv4_conf_all_arp_filter: true
sysctl_net_ipv4_conf_all_arp_ignore: true
sysctl_net_ipv4_conf_all_drop_gratuitous_arp: true
sysctl_net_ipv4_conf_all_route_localnet: true
sysctl_net_ipv4_conf_all_rp_filter: true
sysctl_net_ipv4_conf_all_secure_redirects: true
sysctl_net_ipv4_conf_all_send_redirects: true
sysctl_net_ipv4_conf_all_shared_media: true
sysctl_net_ipv4_conf_default_accept_redirects: true
sysctl_net_ipv4_conf_default_accept_source_route: true
sysctl_net_ipv4_conf_default_rp_filter: true
sysctl_net_ipv4_conf_default_secure_redirects: true
sysctl_net_ipv4_conf_default_send_redirects: true
sysctl_net_ipv4_conf_default_shared_media: true
sysctl_net_ipv4_icmp_ignore_bogus_error_responses: true
sysctl_net_ipv4_ip_forward: true
sysctl_net_ipv4_ip_local_port_range: true
sysctl_net_ipv4_tcp_rfc1337: true
sysctl_net_ipv4_tcp_syncookies: true
sysctl_net_ipv6_conf_all_accept_ra_defrtr: true
sysctl_net_ipv6_conf_all_accept_ra_pinfo: true
sysctl_net_ipv6_conf_all_accept_ra_rtr_pref: true
sysctl_net_ipv6_conf_all_accept_redirects: true
sysctl_net_ipv6_conf_all_accept_source_route: true
sysctl_net_ipv6_conf_all_autoconf: true
sysctl_net_ipv6_conf_all_max_addresses: true
sysctl_net_ipv6_conf_all_router_solicitations: true
sysctl_net_ipv6_conf_default_accept_ra_defrtr: true
sysctl_net_ipv6_conf_default_accept_ra_pinfo: true
sysctl_net_ipv6_conf_default_accept_ra_rtr_pref: true
sysctl_net_ipv6_conf_default_accept_redirects: true
sysctl_net_ipv6_conf_default_accept_source_route: true
sysctl_net_ipv6_conf_default_autoconf: true
sysctl_net_ipv6_conf_default_max_addresses: true
sysctl_net_ipv6_conf_default_router_solicitations: true
sysctl_vm_mmap_min_addr: true
unknown_severity: true
unknown_strategy: true