portfolio/infra-run/ansible/roles/cis-rhel9-hardening/defaults/main.yml

---
cis_benchmark_version: "2.0.0"

cis_disable_root_login: true
cis_disable_password_auth: false
cis_install_auditd: true
cis_enable_chrony: true
cis_enable_rsyslog: true
cis_remove_legacy_packages: true
cis_enable_sysctl_hardening: true
cis_manage_mount_options: false

cis_ssh_max_auth_tries: 4
cis_ssh_login_grace_time: 60
cis_ssh_client_alive_interval: 300
cis_ssh_client_alive_count_max: 3
cis_ssh_dropin_path: /etc/ssh/sshd_config.d/50-cis-rhel9-hardening.conf

cis_min_root_free_mb: 1024

cis_legacy_packages:
  - telnet
  - rsh-server
  - ypbind

cis_legacy_services:
  - telnet.socket
  - rsh.socket
  - rexec.socket
  - rlogin.socket
  - ypbind.service

cis_sysctl_settings:
  net.ipv4.ip_forward: 0
  net.ipv4.conf.all.send_redirects: 0
  net.ipv4.conf.default.send_redirects: 0
  net.ipv4.conf.all.accept_source_route: 0
  net.ipv4.conf.default.accept_source_route: 0
  net.ipv4.conf.all.accept_redirects: 0
  net.ipv4.conf.default.accept_redirects: 0
  net.ipv4.tcp_syncookies: 1

cis_sysctl_config_file: /etc/sysctl.d/60-cis-rhel9-hardening.conf

cis_audit_rules_path: /etc/audit/rules.d/50-cis-rhel9-hardening.rules
cis_audit_backlog_limit: 8192
cis_audit_rules:
  - "-w /etc/passwd -p wa -k identity"
  - "-w /etc/shadow -p wa -k identity"
  - "-w /etc/group -p wa -k identity"
  - "-w /etc/gshadow -p wa -k identity"
  - "-w /etc/sudoers -p wa -k scope"
  - "-w /etc/sudoers.d/ -p wa -k scope"
  - "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change"

cis_sudoers_dropin_path: /etc/sudoers.d/50-cis-rhel9-hardening
cis_sudo_logfile: /var/log/sudo.log

cis_mount_option_targets:
  - path: /tmp
    options:
      - nodev
      - nosuid
      - noexec
  - path: /var/tmp
    options:
      - nodev
      - nosuid
      - noexec
  - path: /home
    options:
      - nodev

cis_container_virtualization_types:
  - container
  - docker
  - lxc
  - podman
  - containerd
  - systemd-nspawn