forked from RedHatOfficial/ansible-role-rhel9-pci-dss
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
155 lines (155 loc) · 5.6 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
---
# defaults file for rhel9_pci_dss
var_system_crypto_policy: DEFAULT
inactivity_timeout_value: '900'
var_authselect_profile: sssd
var_password_pam_unix_remember: '4'
var_accounts_passwords_pam_faillock_deny: '6'
var_accounts_passwords_pam_faillock_unlock_time: '1800'
var_password_pam_dcredit: '-1'
var_password_pam_lcredit: '-1'
var_password_pam_minlen: '7'
var_password_pam_ucredit: '-1'
var_password_hashing_algorithm: SHA512
var_smartcard_drivers: cac
var_account_disable_post_pw_expiration: '90'
var_accounts_maximum_age_login_defs: '90'
var_auditd_action_mail_acct: root
var_auditd_admin_space_left_action: single
var_auditd_max_log_file: '6'
var_auditd_max_log_file_action: rotate
var_auditd_num_logs: '5'
var_auditd_space_left_action: email
var_multiple_time_servers: 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org
account_disable_post_pw_expiration: true
accounts_maximum_age_login_defs: true
accounts_password_pam_dcredit: true
accounts_password_pam_lcredit: true
accounts_password_pam_minlen: true
accounts_password_pam_ucredit: true
accounts_password_pam_unix_remember: true
accounts_passwords_pam_faillock_deny: true
accounts_passwords_pam_faillock_unlock_time: true
aide_build_database: true
aide_periodic_cron_checking: true
audit_rules_dac_modification_chmod: true
audit_rules_dac_modification_chown: true
audit_rules_dac_modification_fchmod: true
audit_rules_dac_modification_fchmodat: true
audit_rules_dac_modification_fchown: true
audit_rules_dac_modification_fchownat: true
audit_rules_dac_modification_fremovexattr: true
audit_rules_dac_modification_fsetxattr: true
audit_rules_dac_modification_lchown: true
audit_rules_dac_modification_lremovexattr: true
audit_rules_dac_modification_lsetxattr: true
audit_rules_dac_modification_removexattr: true
audit_rules_dac_modification_setxattr: true
audit_rules_file_deletion_events_rename: true
audit_rules_file_deletion_events_renameat: true
audit_rules_file_deletion_events_rmdir: true
audit_rules_file_deletion_events_unlink: true
audit_rules_file_deletion_events_unlinkat: true
audit_rules_immutable: true
audit_rules_kernel_module_loading_delete: true
audit_rules_kernel_module_loading_finit: true
audit_rules_kernel_module_loading_init: true
audit_rules_mac_modification: true
audit_rules_media_export: true
audit_rules_networkconfig_modification: true
audit_rules_privileged_commands: true
audit_rules_session_events: true
audit_rules_sysadmin_actions: true
audit_rules_time_adjtimex: true
audit_rules_time_clock_settime: true
audit_rules_time_settimeofday: true
audit_rules_time_stime: true
audit_rules_time_watch_localtime: true
audit_rules_unsuccessful_file_modification_creat: true
audit_rules_unsuccessful_file_modification_ftruncate: true
audit_rules_unsuccessful_file_modification_open: true
audit_rules_unsuccessful_file_modification_open_by_handle_at: true
audit_rules_unsuccessful_file_modification_openat: true
audit_rules_unsuccessful_file_modification_truncate: true
audit_rules_usergroup_modification_group: true
audit_rules_usergroup_modification_gshadow: true
audit_rules_usergroup_modification_opasswd: true
audit_rules_usergroup_modification_passwd: true
audit_rules_usergroup_modification_shadow: true
auditd_audispd_syslog_plugin_activated: true
auditd_data_retention_action_mail_acct: true
auditd_data_retention_admin_space_left_action: true
auditd_data_retention_max_log_file: true
auditd_data_retention_max_log_file_action: true
auditd_data_retention_num_logs: true
auditd_data_retention_space_left_action: true
chronyd_specify_remote_server: true
configure_crypto_policy: true
configure_kerberos_crypto_policy: true
configure_libreswan_crypto_policy: true
configure_opensc_card_drivers: true
configure_openssl_crypto_policy: true
configure_ssh_crypto_policy: true
configure_strategy: true
dconf_db_up_to_date: true
dconf_gnome_screensaver_idle_activation_enabled: true
dconf_gnome_screensaver_idle_delay: true
dconf_gnome_screensaver_lock_enabled: true
dconf_gnome_screensaver_mode_blank: true
dconf_gnome_session_idle_user_locks: true
disable_strategy: true
display_login_attempts: true
enable_authselect: true
enable_strategy: true
ensure_gpgcheck_globally_activated: true
ensure_gpgcheck_never_disabled: true
ensure_logrotate_activated: true
ensure_redhat_gpgkey_installed: true
file_groupowner_etc_group: true
file_groupowner_etc_passwd: true
file_groupowner_etc_shadow: true
file_groupowner_grub2_cfg: true
file_owner_etc_group: true
file_owner_etc_passwd: true
file_owner_etc_shadow: true
file_owner_grub2_cfg: true
file_permissions_etc_group: true
file_permissions_etc_passwd: true
file_permissions_etc_shadow: true
file_permissions_var_log_audit: true
grub2_audit_argument: true
high_complexity: true
high_disruption: true
high_severity: true
low_complexity: true
low_disruption: true
low_severity: true
medium_complexity: true
medium_disruption: true
medium_severity: true
no_empty_passwords: true
no_reboot_needed: true
package_aide_installed: true
package_audispd_plugins_installed: true
package_libreswan_installed: true
package_opensc_installed: true
package_pcsc_lite_installed: true
patch_strategy: true
reboot_required: true
restrict_strategy: true
rpm_verify_hashes: true
rpm_verify_permissions: true
rsyslog_files_groupownership: true
rsyslog_files_ownership: true
rsyslog_files_permissions: true
security_patches_up_to_date: true
service_auditd_enabled: true
service_chronyd_enabled: true
service_pcscd_enabled: true
set_password_hashing_algorithm_libuserconf: true
set_password_hashing_algorithm_logindefs: true
set_password_hashing_algorithm_passwordauth: true
set_password_hashing_algorithm_systemauth: true
skip_ansible_lint: true
sssd_enable_smartcards: true
unknown_strategy: true