Add IBM AIX 7 CIS-inspired hardening playbook
This commit is contained in:
Mateusz Suski
@@ -0,0 +1,98 @@
|
||||
---
|
||||
cis_benchmark_version: "1.2.0"
|
||||
|
||||
cis_disable_root_login: true
|
||||
cis_disable_password_auth: false
|
||||
cis_enable_network_hardening: true
|
||||
cis_enable_password_policy: true
|
||||
cis_enable_audit: false
|
||||
cis_manage_mount_options: false
|
||||
|
||||
cis_ssh_max_auth_tries: 4
|
||||
cis_ssh_login_grace_time: 60
|
||||
cis_ssh_client_alive_interval: 300
|
||||
cis_ssh_client_alive_count_max: 3
|
||||
cis_ssh_config_path: /etc/ssh/sshd_config
|
||||
cis_sshd_test_command: sshd -t
|
||||
|
||||
cis_min_root_free_mb: 1024
|
||||
|
||||
cis_password_minlen: 14
|
||||
cis_password_histsize: 10
|
||||
cis_password_maxage_weeks: 12
|
||||
cis_password_minalpha: 1
|
||||
cis_password_minother: 1
|
||||
cis_password_maxrepeats: 2
|
||||
cis_password_minage_weeks: 1
|
||||
cis_login_retries: 5
|
||||
cis_login_lockout: 30
|
||||
|
||||
cis_required_commands:
|
||||
- lsattr
|
||||
- chdev
|
||||
- lssrc
|
||||
- chsec
|
||||
- lssec
|
||||
- pwdadm
|
||||
- "no"
|
||||
- audit
|
||||
- cron
|
||||
|
||||
cis_ssh_candidate_paths:
|
||||
- /usr/sbin/sshd
|
||||
- /usr/bin/sshd
|
||||
- /opt/freeware/sbin/sshd
|
||||
- /opt/freeware/bin/sshd
|
||||
|
||||
cis_network_no_settings:
|
||||
ipforwarding: "0"
|
||||
ipsendredirects: "0"
|
||||
ipignoreredirects: "1"
|
||||
ipsrcrouteforward: "0"
|
||||
clean_partial_conns: "1"
|
||||
tcp_pmtu_discover: "0"
|
||||
|
||||
cis_network_nfso_settings: {}
|
||||
|
||||
cis_legacy_inetd_services:
|
||||
- telnet
|
||||
- shell
|
||||
- login
|
||||
- exec
|
||||
- comsat
|
||||
- talk
|
||||
- ntalk
|
||||
- tftp
|
||||
- uucp
|
||||
- finger
|
||||
|
||||
cis_src_subsystems:
|
||||
- sshd
|
||||
- inetd
|
||||
- syslogd
|
||||
- audit
|
||||
|
||||
cis_mount_option_targets:
|
||||
- path: /tmp
|
||||
options:
|
||||
- nosuid
|
||||
- path: /var/tmp
|
||||
options:
|
||||
- nosuid
|
||||
|
||||
cis_manage_sudo: true
|
||||
cis_sudoers_path: /etc/sudoers
|
||||
cis_sudo_logfile: /var/log/sudo.log
|
||||
cis_sudo_use_pty: true
|
||||
|
||||
cis_cron_allow_path: /var/adm/cron/cron.allow
|
||||
cis_cron_deny_path: /var/adm/cron/cron.deny
|
||||
cis_at_allow_path: /var/adm/cron/at.allow
|
||||
cis_at_deny_path: /var/adm/cron/at.deny
|
||||
cis_cron_directories:
|
||||
- /var/adm/cron
|
||||
- /var/spool/cron
|
||||
- /var/spool/cron/crontabs
|
||||
|
||||
cis_syslog_config_path: /etc/syslog.conf
|
||||
cis_audit_config_path: /etc/security/audit/config
|
||||
Reference in New Issue
Block a user