portfolio/infra-run/ansible/roles/cis-aix7-hardening/defaults/main.yml

---
cis_benchmark_version: "1.2.0"

cis_disable_root_login: true
cis_disable_password_auth: false
cis_enable_network_hardening: true
cis_enable_password_policy: true
cis_enable_audit: false
cis_manage_mount_options: false

cis_ssh_max_auth_tries: 4
cis_ssh_login_grace_time: 60
cis_ssh_client_alive_interval: 300
cis_ssh_client_alive_count_max: 3
cis_ssh_config_path: /etc/ssh/sshd_config
cis_sshd_test_command: sshd -t

cis_min_root_free_mb: 1024

cis_password_minlen: 14
cis_password_histsize: 10
cis_password_maxage_weeks: 12
cis_password_minalpha: 1
cis_password_minother: 1
cis_password_maxrepeats: 2
cis_password_minage_weeks: 1
cis_login_retries: 5
cis_login_lockout: 30

cis_required_commands:
  - lsattr
  - chdev
  - lssrc
  - chsec
  - lssec
  - pwdadm
  - "no"
  - audit
  - cron

cis_ssh_candidate_paths:
  - /usr/sbin/sshd
  - /usr/bin/sshd
  - /opt/freeware/sbin/sshd
  - /opt/freeware/bin/sshd

cis_network_no_settings:
  ipforwarding: "0"
  ipsendredirects: "0"
  ipignoreredirects: "1"
  ipsrcrouteforward: "0"
  clean_partial_conns: "1"
  tcp_pmtu_discover: "0"

cis_network_nfso_settings: {}

cis_legacy_inetd_services:
  - telnet
  - shell
  - login
  - exec
  - comsat
  - talk
  - ntalk
  - tftp
  - uucp
  - finger

cis_src_subsystems:
  - sshd
  - inetd
  - syslogd
  - audit

cis_mount_option_targets:
  - path: /tmp
    options:
      - nosuid
  - path: /var/tmp
    options:
      - nosuid

cis_manage_sudo: true
cis_sudoers_path: /etc/sudoers
cis_sudo_logfile: /var/log/sudo.log
cis_sudo_use_pty: true

cis_cron_allow_path: /var/adm/cron/cron.allow
cis_cron_deny_path: /var/adm/cron/cron.deny
cis_at_allow_path: /var/adm/cron/at.allow
cis_at_deny_path: /var/adm/cron/at.deny
cis_cron_directories:
  - /var/adm/cron
  - /var/spool/cron
  - /var/spool/cron/crontabs

cis_syslog_config_path: /etc/syslog.conf
cis_audit_config_path: /etc/security/audit/config