-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathmain.yml
386 lines (386 loc) · 14 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
---
# defaults file for rhel8_anssi_bp28_enhanced
var_sudo_umask: '0077'
var_authselect_profile: minimal
var_password_pam_unix_remember: '2'
var_accounts_passwords_pam_faillock_deny: '3'
var_accounts_passwords_pam_faillock_fail_interval: '900'
var_accounts_passwords_pam_faillock_unlock_time: '900'
var_password_pam_dcredit: '-1'
var_password_pam_lcredit: '-1'
var_password_pam_minlen: '18'
var_password_pam_ocredit: '-1'
var_password_pam_ucredit: '-1'
var_accounts_maximum_age_login_defs: '90'
var_accounts_password_minlen_login_defs: '18'
var_password_pam_unix_rounds: '65536'
var_accounts_tmout: '600'
var_accounts_user_umask: '077'
var_accounts_passwords_pam_faillock_dir: /var/log/faillock
var_l1tf_options: full,force
var_rng_core_default_quality: '500'
var_spec_store_bypass_disable_options: seccomp
rsyslog_remote_loghost_address: logcollector
sysctl_net_ipv6_conf_all_accept_ra_defrtr_value: '0'
sysctl_net_ipv6_conf_all_accept_ra_pinfo_value: '0'
sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value: '0'
sysctl_net_ipv6_conf_all_accept_redirects_value: '0'
sysctl_net_ipv6_conf_all_accept_source_route_value: '0'
sysctl_net_ipv6_conf_all_autoconf_value: '0'
sysctl_net_ipv6_conf_all_max_addresses_value: '1'
sysctl_net_ipv6_conf_all_router_solicitations_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_defrtr_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_pinfo_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value: '0'
sysctl_net_ipv6_conf_default_accept_redirects_value: '0'
sysctl_net_ipv6_conf_default_accept_source_route_value: '0'
sysctl_net_ipv6_conf_default_autoconf_value: '0'
sysctl_net_ipv6_conf_default_max_addresses_value: '1'
sysctl_net_ipv6_conf_default_router_solicitations_value: '0'
sysctl_net_ipv4_conf_all_accept_redirects_value: '0'
sysctl_net_ipv4_conf_all_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_arp_filter_value: '0'
sysctl_net_ipv4_conf_all_arp_ignore_value: '2'
sysctl_net_ipv4_conf_all_rp_filter_value: '1'
sysctl_net_ipv4_conf_all_secure_redirects_value: '0'
sysctl_net_ipv4_conf_all_shared_media_value: '0'
sysctl_net_ipv4_conf_default_accept_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_default_rp_filter_value: '1'
sysctl_net_ipv4_conf_default_secure_redirects_value: '0'
sysctl_net_ipv4_conf_default_shared_media_value: '0'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
sysctl_net_ipv4_tcp_rfc1337_value: '1'
sysctl_net_ipv4_tcp_syncookies_value: '1'
sysctl_kernel_kptr_restrict_value: '2'
var_slub_debug_options: FZP
var_selinux_policy_name: targeted
var_selinux_state: enforcing
var_polyinstantiation_enabled: 'true'
var_postfix_root_mail_alias: change_me@localhost
var_postfix_inet_interfaces: loopback-only
var_multiple_time_servers: 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
var_sshd_set_keepalive: '0'
sshd_idle_timeout_value: '600'
DISA_STIG_RHEL_08_010010: true
DISA_STIG_RHEL_08_010019: true
DISA_STIG_RHEL_08_010159: true
DISA_STIG_RHEL_08_010170: true
DISA_STIG_RHEL_08_010190: true
DISA_STIG_RHEL_08_010200: true
DISA_STIG_RHEL_08_010201: true
DISA_STIG_RHEL_08_010359: true
DISA_STIG_RHEL_08_010370: true
DISA_STIG_RHEL_08_010371: true
DISA_STIG_RHEL_08_010373: true
DISA_STIG_RHEL_08_010374: true
DISA_STIG_RHEL_08_010375: true
DISA_STIG_RHEL_08_010376: true
DISA_STIG_RHEL_08_010380: true
DISA_STIG_RHEL_08_010381: true
DISA_STIG_RHEL_08_010421: true
DISA_STIG_RHEL_08_010423: true
DISA_STIG_RHEL_08_010430: true
DISA_STIG_RHEL_08_010450: true
DISA_STIG_RHEL_08_010490: true
DISA_STIG_RHEL_08_010550: true
DISA_STIG_RHEL_08_010570: true
DISA_STIG_RHEL_08_010571: true
DISA_STIG_RHEL_08_010580: true
DISA_STIG_RHEL_08_010590: true
DISA_STIG_RHEL_08_010700: true
DISA_STIG_RHEL_08_020011: true
DISA_STIG_RHEL_08_020012: true
DISA_STIG_RHEL_08_020013: true
DISA_STIG_RHEL_08_020014: true
DISA_STIG_RHEL_08_020015: true
DISA_STIG_RHEL_08_020023: true
DISA_STIG_RHEL_08_020110: true
DISA_STIG_RHEL_08_020120: true
DISA_STIG_RHEL_08_020130: true
DISA_STIG_RHEL_08_020200: true
DISA_STIG_RHEL_08_020230: true
DISA_STIG_RHEL_08_020231: true
DISA_STIG_RHEL_08_020280: true
DISA_STIG_RHEL_08_020351: true
DISA_STIG_RHEL_08_020353: true
DISA_STIG_RHEL_08_030121: true
DISA_STIG_RHEL_08_030130: true
DISA_STIG_RHEL_08_030140: true
DISA_STIG_RHEL_08_030150: true
DISA_STIG_RHEL_08_030160: true
DISA_STIG_RHEL_08_030170: true
DISA_STIG_RHEL_08_030180: true
DISA_STIG_RHEL_08_030181: true
DISA_STIG_RHEL_08_030200: true
DISA_STIG_RHEL_08_030302: true
DISA_STIG_RHEL_08_030360: true
DISA_STIG_RHEL_08_030361: true
DISA_STIG_RHEL_08_030390: true
DISA_STIG_RHEL_08_030420: true
DISA_STIG_RHEL_08_030480: true
DISA_STIG_RHEL_08_030490: true
DISA_STIG_RHEL_08_030550: true
DISA_STIG_RHEL_08_030580: true
DISA_STIG_RHEL_08_030590: true
DISA_STIG_RHEL_08_030600: true
DISA_STIG_RHEL_08_030680: true
DISA_STIG_RHEL_08_030690: true
DISA_STIG_RHEL_08_040000: true
DISA_STIG_RHEL_08_040002: true
DISA_STIG_RHEL_08_040004: true
DISA_STIG_RHEL_08_040010: true
DISA_STIG_RHEL_08_040124: true
DISA_STIG_RHEL_08_040125: true
DISA_STIG_RHEL_08_040127: true
DISA_STIG_RHEL_08_040128: true
DISA_STIG_RHEL_08_040133: true
DISA_STIG_RHEL_08_040134: true
DISA_STIG_RHEL_08_040190: true
DISA_STIG_RHEL_08_040209: true
DISA_STIG_RHEL_08_040210: true
DISA_STIG_RHEL_08_040220: true
DISA_STIG_RHEL_08_040239: true
DISA_STIG_RHEL_08_040240: true
DISA_STIG_RHEL_08_040249: true
DISA_STIG_RHEL_08_040250: true
DISA_STIG_RHEL_08_040270: true
DISA_STIG_RHEL_08_040279: true
DISA_STIG_RHEL_08_040280: true
DISA_STIG_RHEL_08_040281: true
DISA_STIG_RHEL_08_040282: true
DISA_STIG_RHEL_08_040283: true
DISA_STIG_RHEL_08_040285: true
DISA_STIG_RHEL_08_040286: true
accounts_maximum_age_login_defs: true
accounts_password_minlen_login_defs: true
accounts_password_pam_dcredit: true
accounts_password_pam_lcredit: true
accounts_password_pam_minlen: true
accounts_password_pam_ocredit: true
accounts_password_pam_ucredit: true
accounts_password_pam_unix_remember: true
accounts_password_pam_unix_rounds_password_auth: true
accounts_password_pam_unix_rounds_system_auth: true
accounts_passwords_pam_faillock_deny: true
accounts_passwords_pam_faillock_deny_root: true
accounts_passwords_pam_faillock_interval: true
accounts_passwords_pam_faillock_unlock_time: true
accounts_polyinstantiated_tmp: true
accounts_polyinstantiated_var_tmp: true
accounts_tmout: true
accounts_umask_etc_bashrc: true
accounts_umask_etc_login_defs: true
accounts_umask_etc_profile: true
aide_build_database: true
audit_rules_dac_modification_chmod: true
audit_rules_dac_modification_chown: true
audit_rules_dac_modification_fchmod: true
audit_rules_dac_modification_fchmodat: true
audit_rules_dac_modification_fchown: true
audit_rules_dac_modification_fchownat: true
audit_rules_dac_modification_fremovexattr: true
audit_rules_dac_modification_fsetxattr: true
audit_rules_dac_modification_lchown: true
audit_rules_dac_modification_lremovexattr: true
audit_rules_dac_modification_lsetxattr: true
audit_rules_dac_modification_removexattr: true
audit_rules_dac_modification_setxattr: true
audit_rules_dac_modification_umount2: true
audit_rules_file_deletion_events_rename: true
audit_rules_file_deletion_events_renameat: true
audit_rules_file_deletion_events_rmdir: true
audit_rules_file_deletion_events_unlink: true
audit_rules_file_deletion_events_unlinkat: true
audit_rules_immutable: true
audit_rules_kernel_module_loading_delete: true
audit_rules_kernel_module_loading_finit: true
audit_rules_kernel_module_loading_init: true
audit_rules_login_events_faillock: true
audit_rules_login_events_lastlog: true
audit_rules_mac_modification: true
audit_rules_media_export: true
audit_rules_networkconfig_modification: true
audit_rules_privileged_commands: true
audit_rules_privileged_commands_kmod: true
audit_rules_privileged_commands_sudo: true
audit_rules_session_events: true
audit_rules_sysadmin_actions: true
audit_rules_time_adjtimex: true
audit_rules_time_clock_settime: true
audit_rules_time_stime: true
audit_rules_time_watch_localtime: true
audit_rules_unsuccessful_file_modification_creat: true
audit_rules_unsuccessful_file_modification_ftruncate: true
audit_rules_unsuccessful_file_modification_open: true
audit_rules_unsuccessful_file_modification_openat: true
audit_rules_unsuccessful_file_modification_truncate: true
audit_rules_usergroup_modification_group: true
audit_rules_usergroup_modification_gshadow: true
audit_rules_usergroup_modification_opasswd: true
audit_rules_usergroup_modification_passwd: true
audit_rules_usergroup_modification_shadow: true
audit_sudo_log_events: true
chronyd_specify_remote_server: true
configure_strategy: true
dir_perms_world_writable_root_owned: true
dir_perms_world_writable_sticky_bits: true
disable_strategy: true
enable_authselect: true
enable_pam_namespace: true
enable_strategy: true
ensure_gpgcheck_globally_activated: true
ensure_gpgcheck_local_packages: true
ensure_gpgcheck_never_disabled: true
ensure_logrotate_activated: true
ensure_redhat_gpgkey_installed: true
file_owner_etc_gshadow: true
file_owner_etc_shadow: true
file_permissions_etc_group: true
file_permissions_etc_gshadow: true
file_permissions_etc_passwd: true
file_permissions_etc_shadow: true
file_permissions_sshd_private_key: true
grub2_enable_iommu_force: true
grub2_l1tf_argument: true
grub2_mce_argument: true
grub2_nosmap_argument_absent: true
grub2_nosmep_argument_absent: true
grub2_page_poison_argument: true
grub2_pti_argument: true
grub2_rng_core_default_quality_argument: true
grub2_slab_nomerge_argument: true
grub2_slub_debug_argument: true
grub2_spec_store_bypass_disable_argument: true
grub2_spectre_v2_argument: true
high_disruption: true
high_severity: true
low_complexity: true
low_disruption: true
low_severity: true
medium_complexity: true
medium_disruption: true
medium_severity: true
mount_option_boot_noexec: true
mount_option_boot_nosuid: true
mount_option_home_noexec: true
mount_option_home_nosuid: true
mount_option_nodev_nonroot_local_partitions: true
mount_option_opt_nosuid: true
mount_option_srv_nosuid: true
mount_option_tmp_noexec: true
mount_option_tmp_nosuid: true
mount_option_var_log_noexec: true
mount_option_var_log_nosuid: true
mount_option_var_noexec: true
mount_option_var_nosuid: true
mount_option_var_tmp_noexec: true
mount_option_var_tmp_nosuid: true
no_direct_root_logins: true
no_reboot_needed: true
package_aide_installed: true
package_audit_installed: true
package_chrony_installed: true
package_dhcp_removed: true
package_dnf_automatic_installed: true
package_logrotate_installed: true
package_rsh_removed: true
package_rsh_server_removed: true
package_rsyslog_gnutls_installed: true
package_sendmail_removed: true
package_sudo_installed: true
package_talk_removed: true
package_talk_server_removed: true
package_telnet_removed: true
package_telnet_server_removed: true
package_tftp_removed: true
package_tftp_server_removed: true
package_xinetd_removed: true
package_ypbind_removed: true
package_ypserv_removed: true
patch_strategy: true
postfix_client_configure_mail_alias: true
postfix_network_listening_disabled: true
reboot_required: true
restrict_strategy: true
rsyslog_files_groupownership: true
rsyslog_files_ownership: true
rsyslog_files_permissions: true
rsyslog_remote_loghost: true
rsyslog_remote_tls: true
sebool_polyinstantiation_enabled: true
security_patches_up_to_date: true
selinux_policytype: true
selinux_state: true
service_auditd_enabled: true
service_chronyd_or_ntpd_enabled: true
set_password_hashing_algorithm_systemauth: true
skip_ansible_lint: true
sshd_disable_root_login: true
sshd_set_idle_timeout: true
sshd_set_keepalive: true
sudo_add_env_reset: true
sudo_add_ignore_dot: true
sudo_add_noexec: true
sudo_add_requiretty: true
sudo_add_umask: true
sudo_add_use_pty: true
sudo_remove_no_authenticate: true
sudo_remove_nopasswd: true
sysctl_fs_protected_hardlinks: true
sysctl_fs_protected_symlinks: true
sysctl_fs_suid_dumpable: true
sysctl_kernel_dmesg_restrict: true
sysctl_kernel_kptr_restrict: true
sysctl_kernel_modules_disabled: true
sysctl_kernel_panic_on_oops: true
sysctl_kernel_perf_cpu_time_max_percent: true
sysctl_kernel_perf_event_max_sample_rate: true
sysctl_kernel_perf_event_paranoid: true
sysctl_kernel_pid_max: true
sysctl_kernel_randomize_va_space: true
sysctl_kernel_sysrq: true
sysctl_kernel_unprivileged_bpf_disabled: true
sysctl_kernel_yama_ptrace_scope: true
sysctl_net_core_bpf_jit_harden: true
sysctl_net_ipv4_conf_all_accept_local: true
sysctl_net_ipv4_conf_all_accept_redirects: true
sysctl_net_ipv4_conf_all_accept_source_route: true
sysctl_net_ipv4_conf_all_arp_filter: true
sysctl_net_ipv4_conf_all_arp_ignore: true
sysctl_net_ipv4_conf_all_drop_gratuitous_arp: true
sysctl_net_ipv4_conf_all_route_localnet: true
sysctl_net_ipv4_conf_all_rp_filter: true
sysctl_net_ipv4_conf_all_secure_redirects: true
sysctl_net_ipv4_conf_all_send_redirects: true
sysctl_net_ipv4_conf_all_shared_media: true
sysctl_net_ipv4_conf_default_accept_redirects: true
sysctl_net_ipv4_conf_default_accept_source_route: true
sysctl_net_ipv4_conf_default_rp_filter: true
sysctl_net_ipv4_conf_default_secure_redirects: true
sysctl_net_ipv4_conf_default_send_redirects: true
sysctl_net_ipv4_conf_default_shared_media: true
sysctl_net_ipv4_icmp_ignore_bogus_error_responses: true
sysctl_net_ipv4_ip_forward: true
sysctl_net_ipv4_ip_local_port_range: true
sysctl_net_ipv4_tcp_rfc1337: true
sysctl_net_ipv4_tcp_syncookies: true
sysctl_net_ipv6_conf_all_accept_ra_defrtr: true
sysctl_net_ipv6_conf_all_accept_ra_pinfo: true
sysctl_net_ipv6_conf_all_accept_ra_rtr_pref: true
sysctl_net_ipv6_conf_all_accept_redirects: true
sysctl_net_ipv6_conf_all_accept_source_route: true
sysctl_net_ipv6_conf_all_autoconf: true
sysctl_net_ipv6_conf_all_max_addresses: true
sysctl_net_ipv6_conf_all_router_solicitations: true
sysctl_net_ipv6_conf_default_accept_ra_defrtr: true
sysctl_net_ipv6_conf_default_accept_ra_pinfo: true
sysctl_net_ipv6_conf_default_accept_ra_rtr_pref: true
sysctl_net_ipv6_conf_default_accept_redirects: true
sysctl_net_ipv6_conf_default_accept_source_route: true
sysctl_net_ipv6_conf_default_autoconf: true
sysctl_net_ipv6_conf_default_max_addresses: true
sysctl_net_ipv6_conf_default_router_solicitations: true
sysctl_vm_mmap_min_addr: true
unknown_severity: true
unknown_strategy: true