99 lines
3.6 KiB
YAML
99 lines
3.6 KiB
YAML
---
|
|
# User-facing API: override via top-level `cis` dict in inventory.
|
|
# Merged with these defaults in _normalize.yml → cis_cfg.
|
|
cis_defaults:
|
|
modules_blacklist:
|
|
- freevxfs
|
|
- jffs2
|
|
- hfs
|
|
- hfsplus
|
|
- cramfs
|
|
- udf
|
|
- usb-storage
|
|
- dccp
|
|
- sctp
|
|
- rds
|
|
- tipc
|
|
- firewire-core
|
|
- firewire-sbp2
|
|
- thunderbolt
|
|
sysctl:
|
|
fs.suid_dumpable: 0
|
|
kernel.dmesg_restrict: 1
|
|
kernel.kptr_restrict: 2
|
|
kernel.perf_event_paranoid: 3
|
|
kernel.unprivileged_bpf_disabled: 1
|
|
kernel.yama.ptrace_scope: 2
|
|
kernel.randomize_va_space: 2
|
|
net.ipv4.ip_forward: 0
|
|
net.ipv4.tcp_syncookies: 1
|
|
net.ipv4.icmp_echo_ignore_broadcasts: 1
|
|
net.ipv4.icmp_ignore_bogus_error_responses: 1
|
|
net.ipv4.conf.all.log_martians: 1
|
|
net.ipv4.conf.all.rp_filter: 1
|
|
net.ipv4.conf.all.secure_redirects: 0
|
|
net.ipv4.conf.all.send_redirects: 0
|
|
net.ipv4.conf.all.accept_redirects: 0
|
|
net.ipv4.conf.all.accept_source_route: 0
|
|
net.ipv4.conf.all.arp_ignore: 1
|
|
net.ipv4.conf.all.arp_announce: 2
|
|
net.ipv4.conf.default.log_martians: 1
|
|
net.ipv4.conf.default.rp_filter: 1
|
|
net.ipv4.conf.default.secure_redirects: 0
|
|
net.ipv4.conf.default.send_redirects: 0
|
|
net.ipv4.conf.default.accept_redirects: 0
|
|
net.ipv6.conf.all.accept_redirects: 0
|
|
net.ipv6.conf.all.disable_ipv6: 1
|
|
net.ipv6.conf.default.accept_redirects: 0
|
|
net.ipv6.conf.default.disable_ipv6: 1
|
|
net.ipv6.conf.lo.disable_ipv6: 1
|
|
sshd_options:
|
|
- { option: LogLevel, value: VERBOSE }
|
|
- { option: LoginGraceTime, value: "60" }
|
|
- { option: PermitRootLogin, value: "no" }
|
|
- { option: StrictModes, value: "yes" }
|
|
- { option: MaxAuthTries, value: "4" }
|
|
- { option: MaxSessions, value: "10" }
|
|
- { option: MaxStartups, value: "10:30:60" }
|
|
- { option: PubkeyAuthentication, value: "yes" }
|
|
- { option: HostbasedAuthentication, value: "no" }
|
|
- { option: IgnoreRhosts, value: "yes" }
|
|
- { option: PasswordAuthentication, value: "no" }
|
|
- { option: PermitEmptyPasswords, value: "no" }
|
|
- { option: KerberosAuthentication, value: "no" }
|
|
- { option: GSSAPIAuthentication, value: "no" }
|
|
- { option: AllowAgentForwarding, value: "no" }
|
|
- { option: AllowTcpForwarding, value: "no" }
|
|
- { option: KbdInteractiveAuthentication, value: "no" }
|
|
- { option: GatewayPorts, value: "no" }
|
|
- { option: X11Forwarding, value: "no" }
|
|
- { option: PermitUserEnvironment, value: "no" }
|
|
- { option: ClientAliveInterval, value: "300" }
|
|
- { option: ClientAliveCountMax, value: "1" }
|
|
- { option: PermitTunnel, value: "no" }
|
|
- { option: Banner, value: /etc/issue.net }
|
|
pwquality_minlen: 14
|
|
tmout: 900
|
|
umask: "077"
|
|
umask_profile: "027"
|
|
faillock_deny: 5
|
|
faillock_unlock_time: 900
|
|
password_remember: 5
|
|
|
|
# Platform-specific binary names for CIS permission targets
|
|
cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
|
|
cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"
|
|
|
|
cis_permission_targets:
|
|
- { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
|
|
- { path: "/mnt/etc/cron.hourly", mode: "0700" }
|
|
- { path: "/mnt/etc/cron.daily", mode: "0700" }
|
|
- { path: "/mnt/etc/cron.weekly", mode: "0700" }
|
|
- { path: "/mnt/etc/cron.monthly", mode: "0700" }
|
|
- { path: "/mnt/etc/cron.d", mode: "0700" }
|
|
- { path: "/mnt/etc/crontab", mode: "0600" }
|
|
- { path: "/mnt/etc/logrotate.conf", mode: "0644" }
|
|
- { path: "/mnt/usr/sbin/pppd", mode: "0754" }
|
|
- { path: "/mnt/usr/bin/{{ cis_fusermount_binary }}", mode: "0755" }
|
|
- { path: "/mnt/usr/bin/{{ cis_write_binary }}", mode: "0755" }
|