-
Notifications
You must be signed in to change notification settings - Fork 10
/
vars.yml
68 lines (68 loc) · 2.09 KB
/
vars.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
---
allowed_group: users
log_retention_time_in_months: 6
slackware_services:
- inetd
- yp
- cups
- cups-browsed
- atd
debian_services:
- avahi-daemon
- bluetooth
- hciuart
- cups
- cups-browsed
- atd
- ModemManager
- triggerhappy
- xinetd
- inetd
- rsync
# for servers
#- triggerhappy
#- wpa_supplicant
#- alsa-restore
#- alsa-state
#- hciuart
# NFS stuff from nfs-common & nfs-kernel-server packages
- nfs-blkmap
- nfs-idmapd
- nfs-mountd
- nfs-server
# CIS Debian Linux 12 Benchmark v1.1.0 - 09-26-2024 2.1.12 Ensure rpcbind services are not in use
# CIS Distribution Independent Linux v2.0.0 - 07-16-2019 2.2.7 Ensure NFS and RPC are not enabled
- rpcbind
allowed_services:
- sshd
allowed_tcp_ports:
- 22
sshd_config:
Ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs: hmac-sha2-512-etm@openssh.com
KexAlgorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
HostKeyAlgorithms: ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512
MaxAuthTries: 3
# Value from system-hardening-10.2.txt
fail_delay: 20
session_timeout: 15
nproc_limit: 8192
crypt_rounds: 500000
run_lynis_after_hardening: false
sudo_ids: false
sudo_iolog: false
aide_conf: '{% if ansible_distribution == "Slackware" %}/etc/aide.conf{% else %}/etc/aide/aide.conf{% endif %}'
pass_max_days: 365
pass_min_days: 7
pass_warn_age: 30
inactive_password_lock: 30
lynis_location: '{% if ansible_os_family == "RedHat" or ansible_distribution == "Slackware" %}/usr/bin/lynis{% else %}/usr/sbin/lynis{% endif %}'
chkrootkit_conf_dir: '/etc/chkrootkit'
cisofy_keyring: /etc/apt/keyrings/cisofy.asc
hsts_max_age: 600
clamav_location: '{% if (ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu") and ansible_architecture == "x86_64" %}/usr/local/bin{% else %}/usr/bin{% endif %}'
clamav: {
'socket': "/run/clamav/clamd.sock",
'database': "/var/lib/clamav",
'pid': "/run/clamav/clamd.pid"
}