Mateusz Suski
91 lines
2.0 KiB
YAML
91 lines
2.0 KiB
YAML
---
|
|
cis_disable_root_login: true
|
|
cis_disable_password_auth: false
|
|
cis_install_auditd: true
|
|
cis_enable_chrony: true
|
|
cis_enable_rsyslog: true
|
|
cis_remove_legacy_packages: true
|
|
cis_enable_sysctl_hardening: true
|
|
cis_manage_mount_options: false
|
|
cis_manage_audit_rules: false
|
|
|
|
cis_ssh_max_auth_tries: 4
|
|
cis_ssh_login_grace_time: 60
|
|
cis_ssh_client_alive_interval: 300
|
|
cis_ssh_client_alive_count_max: 3
|
|
|
|
cis_sudo_use_pty: true
|
|
cis_sudo_logfile: /var/log/sudo.log
|
|
|
|
cis_min_root_free_mb: 1024
|
|
|
|
cis_supported_debian_major_version: "13"
|
|
cis_supported_ubuntu_version: "26.04"
|
|
|
|
cis_ssh_service_name: ssh
|
|
cis_ssh_dropin_path: /etc/ssh/sshd_config.d/50-cis-debian-ubuntu-hardening.conf
|
|
cis_ssh_main_config_path: /etc/ssh/sshd_config
|
|
|
|
cis_hardening_packages:
|
|
- chrony
|
|
- rsyslog
|
|
- sudo
|
|
|
|
cis_audit_packages:
|
|
- auditd
|
|
- audispd-plugins
|
|
|
|
cis_legacy_packages:
|
|
- telnet
|
|
- rsh-client
|
|
- rsh-server
|
|
- talk
|
|
- talkd
|
|
- nis
|
|
|
|
cis_sysctl_settings:
|
|
net.ipv4.ip_forward: 0
|
|
net.ipv4.conf.all.send_redirects: 0
|
|
net.ipv4.conf.default.send_redirects: 0
|
|
net.ipv4.conf.all.accept_source_route: 0
|
|
net.ipv4.conf.default.accept_source_route: 0
|
|
net.ipv4.conf.all.accept_redirects: 0
|
|
net.ipv4.conf.default.accept_redirects: 0
|
|
net.ipv4.tcp_syncookies: 1
|
|
|
|
cis_sysctl_config_file: /etc/sysctl.d/60-cis-debian-ubuntu-hardening.conf
|
|
|
|
cis_audit_rules_path: /etc/audit/rules.d/50-cis-debian-ubuntu-hardening.rules
|
|
cis_audit_rules:
|
|
- "-w /etc/passwd -p wa -k identity"
|
|
- "-w /etc/shadow -p wa -k identity"
|
|
- "-w /etc/group -p wa -k identity"
|
|
- "-w /etc/gshadow -p wa -k identity"
|
|
- "-w /etc/sudoers -p wa -k scope"
|
|
- "-w /etc/sudoers.d/ -p wa -k scope"
|
|
|
|
cis_sudoers_dropin_path: /etc/sudoers.d/50-cis-debian-ubuntu-hardening
|
|
|
|
cis_mount_option_targets:
|
|
- path: /tmp
|
|
options:
|
|
- nodev
|
|
- nosuid
|
|
- noexec
|
|
- path: /var/tmp
|
|
options:
|
|
- nodev
|
|
- nosuid
|
|
- noexec
|
|
- path: /home
|
|
options:
|
|
- nodev
|
|
|
|
cis_container_virtualization_types:
|
|
- container
|
|
- docker
|
|
- lxc
|
|
- podman
|
|
- containerd
|
|
- systemd-nspawn
|