-
Notifications
You must be signed in to change notification settings - Fork 0
/
cis_vars.yml
130 lines (113 loc) · 2.59 KB
/
cis_vars.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
---
GRUB_DISABLE_IPV6: 'yes'
GRUB_ENABLE_AUDIT: 'yes'
GRUB_CUSTOM_BOOT_PARAMS: ''
DISABLE_SYSCTL_BUGFIX: no
AIDE_FIRSTRUN: no
DISABLE_CRON_AIDE_CHECK: yes
# Impacts auditd config template
SELINUX: no
APPARMOR: yes
ARCH: 'amd64'
# Leave empty ('') if no remote logging
LOGHOST_URI: ''
LOGHOST_TRANSPORT: 'tcp'
LOGHOST_zlevel: '4'
#ARCH: 'i686' for 32bit
# Specify 'ntp' or 'chrony' for time synchronization
TIMESYNC: 'chrony'
Organization_Name: "Maniacal Overlords United"
POLICY_URI: "http://bitst0rm.network/AURP"
WORKSPACE_PATH: '/usr/local/etc/ans'
# FOR TEMPLATE BACKUP CLEANUP
TEMPLATE_FILES:
- cis.conf.*
- sysctl.conf.*
- limits.conf.*
- cis.rules.*
- rsyslog.conf.*
REMOVE_DEFAULT_PKGS:
- ldap-utils
- openbsd-inetd
- nis
- rsh-client
- rsh-redone-client
- talk
- telnet
INSTALL_DEFAULT_PKGS:
- openssh-server
- auditd
- cron
- rsyslog
- iptables
- aide
- aide-common
- "{{TIMESYNC|default('chrony',true)}}"
DEFAULT_ENABLED_SERVICES:
- ssh
- auditd
- rsyslog
- cron
- "{{TIMESYNC|default('chrony',true)}}"
DEFAULT_DISABLED_SERVICES:
- autofs
- xinetd
- avahi-daemon
- cups
- isc-dhcp-server
- isc-dhcp-server6
- slapd
- nfs-server
- rpcbind
- bind9
- vsftpd
- apache2
- nginx
- dovecot
- smbd
- squid
- snmp
- rsync
- nis
DISABLE_MODULES:
# Disable Modules for CIS Benchmark
# Description:
# This section disables problematic kernel modules using
# install <pkg> /bin/true
# Modules may be deselected by commenting out the appropriate line.
# Disable Uncommon Filesystems (1.1)
- cramfs
# - freevxfs
- jffs2
- hfs
- hfsplus
- udf
# Disable Uncommon Network Protocols (3.5)
- dccp
- sctp
- rds
- tipc
# SYSCTL
SYS_NETWORK_PARAM:
- net.ipv4.conf.ip_forward=0
- net.ipv4.conf.all.send_redirects=0
- net.ipv4.conf.default.send_redirects=0
- net.ipv4.conf.all.accept_source_route=0
- net.ipv4.conf.default.accept_source_route=0
- net.ipv4.conf.all.accept_redirects=0
- net.ipv4.conf.default.accept_redirects=0
- net.ipv4.conf.all.secure_redirects=0
- net.ipv4.conf.default.secure_redirects=0
- net.ipv4.conf.all.log_martians=1
- net.ipv4.conf.default.log_martians=1
- net.ipv4.icmp_echo_ignore_broadcasts=1
- net.ipv4.icmp_ignore_bogus_error_responses=1
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.tcp_syncookies=1
- net.ipv6.conf.all.accept_ra=0
- net.ipv6.conf.default.accept_ra=0
- net.ipv6.conf.all.accept_redirects=0
- net.ipv6.conf.default.accept_redirects=0
# SYSCTL disables core dumps (depends: template: security/limits.conf config)
SYS_CORE_HARDENING:
- fs.suid_dumpable=0