---
# User-facing API: override via top-level `cis` dict in inventory.
# Merged with these defaults in _normalize.yml → cis_cfg.
cis_defaults:
  modules_blacklist:
    - freevxfs
    - jffs2
    - hfs
    - hfsplus
    - cramfs
    - udf
    - usb-storage
    - dccp
    - sctp
    - rds
    - tipc
    - firewire-core
    - firewire-sbp2
    - thunderbolt
  sysctl:
    fs.suid_dumpable: 0
    kernel.dmesg_restrict: 1
    kernel.kptr_restrict: 2
    kernel.perf_event_paranoid: 3
    kernel.unprivileged_bpf_disabled: 1
    kernel.yama.ptrace_scope: 2
    kernel.randomize_va_space: 2
    net.ipv4.ip_forward: 0
    net.ipv4.tcp_syncookies: 1
    net.ipv4.icmp_echo_ignore_broadcasts: 1
    net.ipv4.icmp_ignore_bogus_error_responses: 1
    net.ipv4.conf.all.log_martians: 1
    net.ipv4.conf.all.rp_filter: 1
    net.ipv4.conf.all.secure_redirects: 0
    net.ipv4.conf.all.send_redirects: 0
    net.ipv4.conf.all.accept_redirects: 0
    net.ipv4.conf.all.accept_source_route: 0
    net.ipv4.conf.all.arp_ignore: 1
    net.ipv4.conf.all.arp_announce: 2
    net.ipv4.conf.default.log_martians: 1
    net.ipv4.conf.default.rp_filter: 1
    net.ipv4.conf.default.secure_redirects: 0
    net.ipv4.conf.default.send_redirects: 0
    net.ipv4.conf.default.accept_redirects: 0
    net.ipv6.conf.all.accept_redirects: 0
    net.ipv6.conf.all.disable_ipv6: 1
    net.ipv6.conf.default.accept_redirects: 0
    net.ipv6.conf.default.disable_ipv6: 1
    net.ipv6.conf.lo.disable_ipv6: 1
  sshd_options:
    - { option: LogLevel, value: VERBOSE }
    - { option: LoginGraceTime, value: "60" }
    - { option: PermitRootLogin, value: "no" }
    - { option: StrictModes, value: "yes" }
    - { option: MaxAuthTries, value: "4" }
    - { option: MaxSessions, value: "10" }
    - { option: MaxStartups, value: "10:30:60" }
    - { option: PubkeyAuthentication, value: "yes" }
    - { option: HostbasedAuthentication, value: "no" }
    - { option: IgnoreRhosts, value: "yes" }
    - { option: PasswordAuthentication, value: "no" }
    - { option: PermitEmptyPasswords, value: "no" }
    - { option: KerberosAuthentication, value: "no" }
    - { option: GSSAPIAuthentication, value: "no" }
    - { option: AllowAgentForwarding, value: "no" }
    - { option: AllowTcpForwarding, value: "no" }
    - { option: KbdInteractiveAuthentication, value: "no" }
    - { option: GatewayPorts, value: "no" }
    - { option: X11Forwarding, value: "no" }
    - { option: PermitUserEnvironment, value: "no" }
    - { option: ClientAliveInterval, value: "300" }
    - { option: ClientAliveCountMax, value: "1" }
    - { option: PermitTunnel, value: "no" }
    - { option: Banner, value: /etc/issue.net }
  pwquality_minlen: 14
  tmout: 900
  umask: "077"
  umask_profile: "027"
  faillock_deny: 5
  faillock_unlock_time: 900
  password_remember: 5

# Platform-specific binary names for CIS permission targets
cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"

cis_permission_targets:
  - { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
  - { path: "/mnt/etc/cron.hourly", mode: "0700" }
  - { path: "/mnt/etc/cron.daily", mode: "0700" }
  - { path: "/mnt/etc/cron.weekly", mode: "0700" }
  - { path: "/mnt/etc/cron.monthly", mode: "0700" }
  - { path: "/mnt/etc/cron.d", mode: "0700" }
  - { path: "/mnt/etc/crontab", mode: "0600" }
  - { path: "/mnt/etc/logrotate.conf", mode: "0644" }
  - { path: "/mnt/usr/sbin/pppd", mode: "0754" }
  - { path: "/mnt/usr/bin/{{ cis_fusermount_binary }}", mode: "0755" }
  - { path: "/mnt/usr/bin/{{ cis_write_binary }}", mode: "0755" }