---
# defaults file for RHEL7-CIS
rhel7cis_skip_for_travis: false

rhel7cis_notauto: false
rhel7cis_section1: true
rhel7cis_section2: true
rhel7cis_section3: true
rhel7cis_section4: true
rhel7cis_section5: true
rhel7cis_section6: true

rhel7cis_selinux_disable: false

# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
# You must enable an entire section in order for the variables below to take effect.
# Section 1 rules
rhel7cis_rule_1_1_1_1: true
rhel7cis_rule_1_1_1_2: true
rhel7cis_rule_1_1_1_3: true
rhel7cis_rule_1_1_1_4: true
rhel7cis_rule_1_1_1_5: true
rhel7cis_rule_1_1_1_6: true
rhel7cis_rule_1_1_1_7: true
rhel7cis_rule_1_1_1_8: true
rhel7cis_rule_1_1_2: true
rhel7cis_rule_1_1_3: true
rhel7cis_rule_1_1_4: true
rhel7cis_rule_1_1_5: true
rhel7cis_rule_1_1_6: true
rhel7cis_rule_1_1_7: true
rhel7cis_rule_1_1_8: true
rhel7cis_rule_1_1_9: true
rhel7cis_rule_1_1_10: true
rhel7cis_rule_1_1_11: true
rhel7cis_rule_1_1_12: true
rhel7cis_rule_1_1_13: true
rhel7cis_rule_1_1_14: true
rhel7cis_rule_1_1_15: true
rhel7cis_rule_1_1_16: true
rhel7cis_rule_1_1_17: true
rhel7cis_rule_1_1_18: true
rhel7cis_rule_1_1_19: true
rhel7cis_rule_1_1_20: true
rhel7cis_rule_1_1_21: true
rhel7cis_rule_1_1_22: true
rhel7cis_rule_1_2_1: true
rhel7cis_rule_1_2_2: true
rhel7cis_rule_1_2_3: true
rhel7cis_rule_1_2_4: true
rhel7cis_rule_1_2_5: true
rhel7cis_rule_1_3_1: true
rhel7cis_rule_1_3_2: true
rhel7cis_rule_1_4_1: true
rhel7cis_rule_1_4_2: true
rhel7cis_rule_1_4_3: true
rhel7cis_rule_1_5_1: true
rhel7cis_rule_1_5_2: true
rhel7cis_rule_1_5_3: true
rhel7cis_rule_1_5_4: true
rhel7cis_rule_1_6_1_1: true
rhel7cis_rule_1_6_1_2: true
rhel7cis_rule_1_6_1_3: true
rhel7cis_rule_1_6_1_4: true
rhel7cis_rule_1_6_1_5: true
rhel7cis_rule_1_6_2: true
rhel7cis_rule_1_7_1_1: true
rhel7cis_rule_1_7_1_2: true
rhel7cis_rule_1_7_1_3: true
rhel7cis_rule_1_7_1_4: true
rhel7cis_rule_1_7_1_5: true
rhel7cis_rule_1_7_1_6: true
rhel7cis_rule_1_7_2: true
rhel7cis_rule_1_8: true

# Section 2 rules
rhel7cis_rule_2_1_1: true
rhel7cis_rule_2_1_2: true
rhel7cis_rule_2_1_3: true
rhel7cis_rule_2_1_4: true
rhel7cis_rule_2_1_5: true
rhel7cis_rule_2_1_6: true
rhel7cis_rule_2_1_7: true
rhel7cis_rule_2_2_1_1: true
rhel7cis_rule_2_2_1_2: true
rhel7cis_rule_2_2_1_3: true
rhel7cis_rule_2_2_2: true
rhel7cis_rule_2_2_3: true
rhel7cis_rule_2_2_4: true
rhel7cis_rule_2_2_5: true
rhel7cis_rule_2_2_6: true
rhel7cis_rule_2_2_7: true
rhel7cis_rule_2_2_8: true
rhel7cis_rule_2_2_9: true
rhel7cis_rule_2_2_10: true
rhel7cis_rule_2_2_11: true
rhel7cis_rule_2_2_12: true
rhel7cis_rule_2_2_13: true
rhel7cis_rule_2_2_14: true
rhel7cis_rule_2_2_15: true
rhel7cis_rule_2_2_16: true
rhel7cis_rule_2_2_17: true
rhel7cis_rule_2_2_18: true
rhel7cis_rule_2_2_19: true
rhel7cis_rule_2_2_20: true
rhel7cis_rule_2_2_21: true
rhel7cis_rule_2_3_1: true
rhel7cis_rule_2_3_2: true
rhel7cis_rule_2_3_3: true
rhel7cis_rule_2_3_4: true
rhel7cis_rule_2_3_5: true

# Section 3 rules
rhel7cis_rule_3_1_1: true
rhel7cis_rule_3_1_2: true
rhel7cis_rule_3_2_1: true
rhel7cis_rule_3_2_2: true
rhel7cis_rule_3_2_3: true
rhel7cis_rule_3_2_4: true
rhel7cis_rule_3_2_5: true
rhel7cis_rule_3_2_6: true
rhel7cis_rule_3_2_7: true
rhel7cis_rule_3_2_8: true
rhel7cis_rule_3_3_1: true
rhel7cis_rule_3_3_2: true
rhel7cis_rule_3_3_3: true
rhel7cis_rule_3_4_1: true
rhel7cis_rule_3_4_2: true
rhel7cis_rule_3_4_3: true
rhel7cis_rule_3_4_4: true
rhel7cis_rule_3_4_5: true
rhel7cis_rule_3_5_1: true
rhel7cis_rule_3_5_2: true
rhel7cis_rule_3_5_3: true
rhel7cis_rule_3_5_4: true
rhel7cis_rule_3_6_1: true
rhel7cis_rule_3_6_2: true
rhel7cis_rule_3_6_3: true
rhel7cis_rule_3_6_4: true
rhel7cis_rule_3_6_5: true

# Section 4 rules
rhel7cis_rule_4_1_1_1: true
rhel7cis_rule_4_1_1_2: true
rhel7cis_rule_4_1_1_3: true
rhel7cis_rule_4_1_2: true
rhel7cis_rule_4_1_3: true
rhel7cis_rule_4_1_4: true
rhel7cis_rule_4_1_5: true
rhel7cis_rule_4_1_6: true
rhel7cis_rule_4_1_7: true
rhel7cis_rule_4_1_8: true
rhel7cis_rule_4_1_9: true
rhel7cis_rule_4_1_10: true
rhel7cis_rule_4_1_11: true
rhel7cis_rule_4_1_12: true
rhel7cis_rule_4_1_13: true
rhel7cis_rule_4_1_14: true
rhel7cis_rule_4_1_15: true
rhel7cis_rule_4_1_16: true
rhel7cis_rule_4_1_17: true
rhel7cis_rule_4_1_18: true
rhel7cis_rule_4_2_3: true
rhel7cis_rule_4_2_1_1: true
rhel7cis_rule_4_2_1_2: true
rhel7cis_rule_4_2_1_3: true
rhel7cis_rule_4_2_1_4: true
rhel7cis_rule_4_2_1_5: true
rhel7cis_rule_4_2_2_1: true
rhel7cis_rule_4_2_2_2: true
rhel7cis_rule_4_2_2_3: true
rhel7cis_rule_4_2_2_4: true
rhel7cis_rule_4_2_2_5: true
rhel7cis_rule_4_2_4: true
rhel7cis_rule_4_3: true

# Section 5 rules
rhel7cis_rule_5_1_1: true
rhel7cis_rule_5_1_2: true
rhel7cis_rule_5_1_3: true
rhel7cis_rule_5_1_4: true
rhel7cis_rule_5_1_5: true
rhel7cis_rule_5_1_6: true
rhel7cis_rule_5_1_7: true
rhel7cis_rule_5_1_8: true
rhel7cis_rule_5_2_1: true
rhel7cis_rule_5_2_2: true
rhel7cis_rule_5_2_3: true
rhel7cis_rule_5_2_4: true
rhel7cis_rule_5_2_5: true
rhel7cis_rule_5_2_6: true
rhel7cis_rule_5_2_7: true
rhel7cis_rule_5_2_8: true
rhel7cis_rule_5_2_9: true
rhel7cis_rule_5_2_10: true
rhel7cis_rule_5_2_11: true
rhel7cis_rule_5_2_12: true
rhel7cis_rule_5_2_13: true
rhel7cis_rule_5_2_14: true
rhel7cis_rule_5_2_15: true
rhel7cis_rule_5_2_16: true
rhel7cis_rule_5_3_1: true
rhel7cis_rule_5_3_2: true
rhel7cis_rule_5_3_3: true
rhel7cis_rule_5_3_4: true
rhel7cis_rule_5_4_1_1: true
rhel7cis_rule_5_4_1_2: true
rhel7cis_rule_5_4_1_3: true
rhel7cis_rule_5_4_1_4: true
rhel7cis_rule_5_4_2: true
rhel7cis_rule_5_4_3: true
rhel7cis_rule_5_4_4: true

# Section 6 rules
rhel7cis_rule_6_1_1: true
rhel7cis_rule_6_1_2: true
rhel7cis_rule_6_1_3: true
rhel7cis_rule_6_1_4: true
rhel7cis_rule_6_1_5: true
rhel7cis_rule_6_1_6: true
rhel7cis_rule_6_1_7: true
rhel7cis_rule_6_1_8: true
rhel7cis_rule_6_1_9: true
rhel7cis_rule_6_1_10: true
rhel7cis_rule_6_1_11: true
rhel7cis_rule_6_1_12: true
rhel7cis_rule_6_1_13: true
rhel7cis_rule_6_1_14: true
rhel7cis_rule_6_2_1: true
rhel7cis_rule_6_2_2: true
rhel7cis_rule_6_2_3: true
rhel7cis_rule_6_2_4: true
rhel7cis_rule_6_2_5: true
rhel7cis_rule_6_2_6: true
rhel7cis_rule_6_2_7: true
rhel7cis_rule_6_2_8: true
rhel7cis_rule_6_2_9: true
rhel7cis_rule_6_2_10: true
rhel7cis_rule_6_2_11: true
rhel7cis_rule_6_2_12: true
rhel7cis_rule_6_2_14: true
rhel7cis_rule_6_2_15: true
rhel7cis_rule_6_2_16: true
rhel7cis_rule_6_2_17: true
rhel7cis_rule_6_2_18: true
rhel7cis_rule_6_2_19: true

# Service configuration booleans set true to keep service
rhel7cis_avahi_server: false
rhel7cis_cups_server: false
rhel7cis_dhcp_server: false
rhel7cis_ldap_server: false
rhel7cis_telnet_server: false
rhel7cis_nfs_server: false
rhel7cis_rpc_server: false
rhel7cis_ntalk_server: false
rhel7cis_rsyncd_server: false
rhel7cis_tftp_server: false
rhel7cis_rsh_server: false
rhel7cis_nis_server: false
rhel7cis_snmp_server: false
rhel7cis_squid_server: false
rhel7cis_smb_server: false
rhel7cis_dovecot_server: false
rhel7cis_httpd_server: false
rhel7cis_vsftpd_server: false
rhel7cis_named_server: false
rhel7cis_nfs_rpc_server: false
rhel7cis_is_mail_server: false
rhel7cis_bind: false
rhel7cis_vsftpd: false
rhel7cis_httpd: false
rhel7cis_dovecot: false
rhel7cis_samba: false
rhel7cis_squid: false
rhel7cis_net_snmp: false
rhel7cis_allow_autofs: false

# xinetd required
rhel7cis_xinetd_required: false

# RedHat Satellite Subscription items
rhel7cis_rhnsd_required: false

# 1.4.2 Bootloader password
rhel7cis_bootloader_password: random
rhel7cis_set_boot_pass: false

# System network parameters (host only OR host and router)
rhel7cis_is_router: false

# IPv6 required
rhel7cis_ipv6_required: true

# AIDE
rhel7cis_config_aide: true
# AIDE cron settings
rhel7cis_aide_cron:
    cron_user: root
    cron_file: /etc/crontab
    aide_job: '/usr/sbin/aide --check'
    aide_minute: 0
    aide_hour: 5
    aide_day: '*'
    aide_month: '*'
    aide_weekday: '*'

# SELinux policy
rhel7cis_selinux_pol: targeted

# Whether or not to run tasks related to auditing/patching the desktop environment
rhel7cis_gui: no

# Set to 'true' if X Windows is needed in your environment
rhel7cis_xwindows_required: no

rhel7cis_openldap_clients_required: false
rhel7cis_telnet_required: false
rhel7cis_talk_required: false
rhel7cis_rsh_required: false
rhel7cis_ypbind_required: false

# Time Synchronization
rhel7cis_time_synchronization: chrony
#rhel7cis_time_synchronization: ntp

rhel7cis_time_synchronization_servers:
    - 0.pool.ntp.org
    - 1.pool.ntp.org
    - 2.pool.ntp.org
    - 3.pool.ntp.org

rhel7cis_chrony_server_options: "minpoll 8"
rhel7cis_ntp_server_options: "iburst"

# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured
rhel7cis_host_allow:
    - "10.0.0.0/255.0.0.0"
    - "172.16.0.0/255.240.0.0"
    - "192.168.0.0/255.255.0.0"

#rhel7cis_firewall: firewalld
#rhel7cis_firewall: iptables

rhel7cis_firewall_services:
    - ssh
    - dhcpv6-client

# Warning Banner Content (issue, issue.net, motd)
rhel7cis_warning_banner: |
    Authorized uses only. All activity may be monitored and reported.
# End Banner

## Section4 vars

rhel7cis_auditd:
    admin_space_left_action: halt
    max_log_file_action: keep_logs

rhel7cis_logrotate: "daily"

rhel7cis_sudolog: /var/log/secure

## Section5 vars

rhel7cis_sshd:
    clientalivecountmax: 3
    clientaliveinterval: 300
    ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
    macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
    logingracetime: 60
    # - make sure you understand the precedence when working with these values!!
    #allowusers:
    #allowgroups: systems dba
    #denyusers:
    #denygroups:

rhel7cis_pass:
    max_days: 90
    min_days: 7
    warn_age: 7

rhel7cis_pwquality:
    minlen: '14'
    dcredit: '-1'
    ucredit: '-1'
    ocredit: '-1'
    lcredit: '-1'

# Syslog system
rhel7cis_syslog: rsyslog
#rhel7cis_syslog: syslog-ng

rhel7cis_vartmp:
    source: /tmp
    fstype: none
    opts: "defaults,nodev,nosuid,noexec,bind"
    enabled: no

rhel7cis_rule_5_4_2_min_uid: 1000