cis_vars.yml

---
GRUB_DISABLE_IPV6: 'yes'
GRUB_ENABLE_AUDIT: 'yes'
GRUB_CUSTOM_BOOT_PARAMS: ''
DISABLE_SYSCTL_BUGFIX: no
AIDE_FIRSTRUN: no
DISABLE_CRON_AIDE_CHECK: yes

# Impacts auditd config template
SELINUX: no
APPARMOR: yes
ARCH: 'amd64'
# Leave empty ('') if no remote logging
LOGHOST_URI: ''
LOGHOST_TRANSPORT: 'tcp'
LOGHOST_zlevel: '4'

#ARCH: 'i686' for 32bit
# Specify 'ntp' or 'chrony' for time synchronization

TIMESYNC: 'chrony'


Organization_Name: "Maniacal Overlords United"
POLICY_URI: "http://bitst0rm.network/AURP"


WORKSPACE_PATH: '/usr/local/etc/ans'

# FOR TEMPLATE BACKUP CLEANUP
TEMPLATE_FILES:
  - cis.conf.*
  - sysctl.conf.*
  - limits.conf.*
  - cis.rules.*
  - rsyslog.conf.*

REMOVE_DEFAULT_PKGS:
  - ldap-utils
  - openbsd-inetd
  - nis
  - rsh-client
  - rsh-redone-client
  - talk
  - telnet

INSTALL_DEFAULT_PKGS:
  - openssh-server
  - auditd
  - cron
  - rsyslog
  - iptables
  - aide
  - aide-common
  - "{{TIMESYNC|default('chrony',true)}}"


DEFAULT_ENABLED_SERVICES:
  - ssh
  - auditd
  - rsyslog
  - cron
  - "{{TIMESYNC|default('chrony',true)}}"


DEFAULT_DISABLED_SERVICES:
  - autofs
  - xinetd
  - avahi-daemon
  - cups
  - isc-dhcp-server
  - isc-dhcp-server6
  - slapd
  - nfs-server
  - rpcbind
  - bind9
  - vsftpd
  - apache2
  - nginx
  - dovecot
  - smbd
  - squid
  - snmp
  - rsync
  - nis

DISABLE_MODULES:
# Disable Modules for CIS Benchmark
# Description:
# This section disables problematic kernel modules using
#  install <pkg> /bin/true
# Modules may be deselected by commenting out the appropriate line.
# Disable Uncommon Filesystems (1.1)
  - cramfs
#  - freevxfs
  - jffs2
  - hfs
  - hfsplus
  - udf
# Disable Uncommon Network Protocols (3.5)
  - dccp
  - sctp
  - rds
  - tipc

# SYSCTL
SYS_NETWORK_PARAM:
  - net.ipv4.conf.ip_forward=0
  - net.ipv4.conf.all.send_redirects=0
  - net.ipv4.conf.default.send_redirects=0
  - net.ipv4.conf.all.accept_source_route=0
  - net.ipv4.conf.default.accept_source_route=0
  - net.ipv4.conf.all.accept_redirects=0
  - net.ipv4.conf.default.accept_redirects=0
  - net.ipv4.conf.all.secure_redirects=0
  - net.ipv4.conf.default.secure_redirects=0
  - net.ipv4.conf.all.log_martians=1
  - net.ipv4.conf.default.log_martians=1
  - net.ipv4.icmp_echo_ignore_broadcasts=1
  - net.ipv4.icmp_ignore_bogus_error_responses=1
  - net.ipv4.conf.all.rp_filter=1
  - net.ipv4.tcp_syncookies=1
  - net.ipv6.conf.all.accept_ra=0
  - net.ipv6.conf.default.accept_ra=0
  - net.ipv6.conf.all.accept_redirects=0
  - net.ipv6.conf.default.accept_redirects=0

# SYSCTL disables core dumps (depends: template: security/limits.conf config)
SYS_CORE_HARDENING:
  - fs.suid_dumpable=0