Skip to content

Commit

Permalink
Small documentation fixes.
Browse files Browse the repository at this point in the history
Signed-off-by: Diana-Maria Dumitru <[email protected]>
  • Loading branch information
DianaMariaDDM committed Jan 30, 2024
1 parent 6919147 commit 154b65d
Showing 1 changed file with 46 additions and 24 deletions.
70 changes: 46 additions & 24 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -595,22 +595,34 @@ amzn2023cis_chrony_server_options: "minpoll 8"
# The set of rules that make up section 2.2, are used for ensuring that
# certain services are not installed on the OS.
# The following list of variables determine if a service shall be kept
# on the OS or if it shall be uninstalled. If you specifically want for
# a service to remain on your machine then set that service's variable's
# value to true!
# on the OS or if it shall be uninstalled.
# Set this variable to `true` to keep service `avahi`; otherwise, the service is uninstalled.
amzn2023cis_avahi_server: false
# Set this variable to `true` to keep service `cups`; otherwise, the service is uninstalled.
amzn2023cis_cups_server: false
# Set this variable to `true` to keep service `dhcp`; otherwise, the service is uninstalled.
amzn2023cis_dhcp_server: false
# Set this variable to `true` to keep service `dns`; otherwise, the service is uninstalled.
amzn2023cis_dns_server: false
# Set this variable to `true` to keep service `dnsmasq`; otherwise, the service is uninstalled.
amzn2023cis_dnsmasq_server: false
# Set this variable to `true` to keep service `vsftpd`; otherwise, the service is uninstalled.
amzn2023cis_vsftpd_server: false
# Set this variable to `true` to keep service `tftp`; otherwise, the service is uninstalled.
amzn2023cis_tftp_server: false
# Set this variable to `true` to keep service `httpd`; otherwise, the service is uninstalled.
amzn2023cis_httpd_server: false
# Set this variable to `true` to keep service `nginx`; otherwise, the service is uninstalled.
amzn2023cis_nginx_server: false
# Set this variable to `true` to keep service `dovecot`; otherwise, the service is uninstalled.
amzn2023cis_dovecot_server: false
# Set this variable to `true` to keep service `imap`; otherwise, the service is uninstalled.
amzn2023cis_imap_server: false
# Set this variable to `true` to keep service `samba`; otherwise, the service is uninstalled.
amzn2023cis_samba_server: false
# Set this variable to `true` to keep service `squid`; otherwise, the service is uninstalled.
amzn2023cis_squid_server: false
# Set this variable to `true` to keep service `snmp`; otherwise, the service is uninstalled.
amzn2023cis_snmp_server: false

## Control 2.2.12 - Ensure net-snmp is not installed or the snmpd service is not enabled
Expand Down Expand Up @@ -690,11 +702,15 @@ amzn2023cis_ftp_client: false
# value to 'true' so as to execute the needed update!
amzn2023cis_sysctl_update: false

# The following variables are responsible for the execution of a
# handler that flushes ipv4 or ipv6 route table. Although the default
# values are 'false', some tasks are in need of these handlers to get
# executed, therefore, they are setting these variables' values to 'true'!
# The following variable is responsible for the execution of a
# handler that flushes the ipv4 route table. Although the default
# value is 'false', some tasks are in need of this handler to get
# executed, therefore, they are setting this variable's value to 'true'!
amzn2023cis_flush_ipv4_route: false
# The following variable is responsible for the execution of a
# handler that flushes the ipv6 route table. Although the default
# value is 'false', some tasks are in need of this handler to get
# executed, therefore, they are setting this variable's value to 'true'!
amzn2023cis_flush_ipv6_route: false

## Controls 3.4.1.x and 3.4.2.x Firewall Service
Expand Down Expand Up @@ -782,26 +798,26 @@ amzn2023cis_sshd:
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
# allowusers:
# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
allowusers:
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, https://linux.die.net/man/5/sshd_config
# allowgroups: systems dba
allowgroups: systems dba
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
# for users whose user name matches one of the patterns. This is done
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
# denyusers:
denyusers:
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
# denygroups:
denygroups:

## Control 4.2.5 - Ensure SSH LogLevel is appropriate
# This variable refers to the loglevel used for ssh.
Expand Down Expand Up @@ -857,12 +873,18 @@ amzn2023cis_sugroup: nosugroup
# Authselect is another authentication configuration tool
# that aims to provide a more modern and modular approach
# for authentication settings configuration.
# The actual settings are just placeholders taken from the CIS
# examples, which might lead to failure. These settings need
# to be adjusted in order to minimise risk.
amzn2023cis_authselect:
# This setting is just a placeholder taken from the CIS
# examples, which might lead to failure. This setting needs
# to be adjusted in order to minimise risk.
custom_profile_name: custom-profile
# This setting is just a placeholder taken from the CIS
# examples, which might lead to failure. This setting needs
# to be adjusted in order to minimise risk.
default_file_to_copy: "sssd --symlink-meta"
# This setting is just a placeholder taken from the CIS
# examples, which might lead to failure. This setting needs
# to be adjusted in order to minimise risk.
options: with-sudo with-faillock without-nullok

## Control 4.4.1 - Ensure custom authselect profile is used
Expand All @@ -872,10 +894,10 @@ amzn2023cis_authselect_custom_profile_create: false
## Control 4.4.2 - Ensure authselect includes with-faillock
# This variable enables automation to select custom profile options, using the variables above
amzn2023cis_authselect_custom_profile_select: false
## This option is used at your own risk. It is responsible for
## enabling faillock for users.
## Only to be used on a new clean system that is not using authselect!
## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ##
# This option is used at your own risk. It is responsible for
# enabling faillock for users.
# Only to be used on a new clean system that is not using authselect!
# THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS !!
amzn2023cis_add_faillock_without_authselect: false
# This needs to be set to "ACCEPT" in order for the option
# mentioned above to be implemented!
Expand Down Expand Up @@ -921,11 +943,11 @@ amzn2023cis_pass:
warn_age: 7

## Control 4.6.1.4 - Ensure inactive password lock is 30 days or less
# The following variable's "lock_days" value refers to the period
# of time when users can be inactive. Once that period of time is
# over, users will be automatically disabled. The value should be
# 30 or less.
amzn2023cis_inactivelock:
# The following variable refers to the period of time when
# users can be inactive. Once that period of time is over,
# users will be automatically disabled. The value should be
# 30 or less.
lock_days: 30

## Control 4.6.1.5 - Ensure all users last password change date is in the past
Expand Down Expand Up @@ -1122,10 +1144,10 @@ update_audit_template: false
amzn2023cis_allow_auditd_uid_user_exclusions: false

# This variable can be used to configure other keys in auditd.conf
amzn2023cis_auditd_extra_conf: {}
# Example:
# amzn2023cis_auditd_extra_conf:
# admin_space_left: '10%'
amzn2023cis_auditd_extra_conf: {}

## Control 5.3 - Ensure logrotate is configured
# This variable is used to specify the regularity of
Expand Down

0 comments on commit 154b65d

Please sign in to comment.