refactor(cis): extract hardcoded values to cis_defaults and add _normalize.yml

2026-02-21 01:26:31 +01:00
parent bef15af69f
commit f74ec325ea
8 changed files with 99 additions and 79 deletions
--- a/roles/cis/defaults/main.yml
+++ b/roles/cis/defaults/main.yml
@@ -1,4 +1,85 @@
 ---
+# User-facing API: override via top-level `cis` dict in inventory.
+# Merged with these defaults in _normalize.yml → cis_cfg.
+cis_defaults:
+  modules_blacklist:
+    - freevxfs
+    - jffs2
+    - hfs
+    - hfsplus
+    - cramfs
+    - udf
+    - usb-storage
+    - dccp
+    - sctp
+    - rds
+    - tipc
+    - firewire-core
+    - firewire-sbp2
+    - thunderbolt
+  sysctl:
+    fs.suid_dumpable: 0
+    kernel.dmesg_restrict: 1
+    kernel.kptr_restrict: 2
+    kernel.perf_event_paranoid: 3
+    kernel.unprivileged_bpf_disabled: 1
+    kernel.yama.ptrace_scope: 2
+    kernel.randomize_va_space: 2
+    net.ipv4.ip_forward: 0
+    net.ipv4.tcp_syncookies: 1
+    net.ipv4.icmp_echo_ignore_broadcasts: 1
+    net.ipv4.icmp_ignore_bogus_error_responses: 1
+    net.ipv4.conf.all.log_martians: 1
+    net.ipv4.conf.all.rp_filter: 1
+    net.ipv4.conf.all.secure_redirects: 0
+    net.ipv4.conf.all.send_redirects: 0
+    net.ipv4.conf.all.accept_redirects: 0
+    net.ipv4.conf.all.accept_source_route: 0
+    net.ipv4.conf.all.arp_ignore: 1
+    net.ipv4.conf.all.arp_announce: 2
+    net.ipv4.conf.default.log_martians: 1
+    net.ipv4.conf.default.rp_filter: 1
+    net.ipv4.conf.default.secure_redirects: 0
+    net.ipv4.conf.default.send_redirects: 0
+    net.ipv4.conf.default.accept_redirects: 0
+    net.ipv6.conf.all.accept_redirects: 0
+    net.ipv6.conf.all.disable_ipv6: 1
+    net.ipv6.conf.default.accept_redirects: 0
+    net.ipv6.conf.default.disable_ipv6: 1
+    net.ipv6.conf.lo.disable_ipv6: 1
+  sshd_options:
+    - { option: LogLevel, value: VERBOSE }
+    - { option: LoginGraceTime, value: "60" }
+    - { option: PermitRootLogin, value: "no" }
+    - { option: StrictModes, value: "yes" }
+    - { option: MaxAuthTries, value: "4" }
+    - { option: MaxSessions, value: "10" }
+    - { option: MaxStartups, value: "10:30:60" }
+    - { option: PubkeyAuthentication, value: "yes" }
+    - { option: HostbasedAuthentication, value: "no" }
+    - { option: IgnoreRhosts, value: "yes" }
+    - { option: PasswordAuthentication, value: "no" }
+    - { option: PermitEmptyPasswords, value: "no" }
+    - { option: KerberosAuthentication, value: "no" }
+    - { option: GSSAPIAuthentication, value: "no" }
+    - { option: AllowAgentForwarding, value: "no" }
+    - { option: AllowTcpForwarding, value: "no" }
+    - { option: KbdInteractiveAuthentication, value: "no" }
+    - { option: GatewayPorts, value: "no" }
+    - { option: X11Forwarding, value: "no" }
+    - { option: PermitUserEnvironment, value: "no" }
+    - { option: ClientAliveInterval, value: "300" }
+    - { option: ClientAliveCountMax, value: "1" }
+    - { option: PermitTunnel, value: "no" }
+    - { option: Banner, value: /etc/issue.net }
+  pwquality_minlen: 14
+  tmout: 900
+  umask: "077"
+  umask_profile: "027"
+  faillock_deny: 5
+  faillock_unlock_time: 900
+  password_remember: 5
+
 # Platform-specific binary names for CIS permission targets
 cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
 cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"