Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Small documentation fixes #202

Merged
Merged
14 changes: 8 additions & 6 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -543,8 +543,10 @@ ubtu22cis_config_aide: true
## When Initializing aide this can take longer on some systems
# changing the values enables user to change to thier own requirements
ubtu22cis_aide_init:
async: 45 # Maximum Time in seconds
poll: 0 # Polling Interval in seconds
# Maximum Time in seconds
async: 45
# Polling Interval in seconds
poll: 0

## Control 1.3.2
# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
Expand Down Expand Up @@ -597,7 +599,7 @@ ubtu22cis_set_boot_pass: false

ubtu22cis_grub_file: /boot/grub/grub.cfg

## 1.5.x
## Controls 1.5.x
# Ability to set file in which the kernel systcl changes are placed
ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf

Expand Down Expand Up @@ -748,7 +750,7 @@ ubtu22cis_audit_back_log_limit: 8192
# This should be set based on your sites policy. CIS does not provide a specific value.
ubtu22cis_max_log_file_size: 10

## 4.1.3.x - Audit template
## Controls 4.1.3.x - Audit template
# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the
# audit settings are overwritten with the role's template. In order to exclude
# specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above
Expand Down Expand Up @@ -944,7 +946,7 @@ ubtu22cis_sugroup: nosugroup
# CIS requires a value of 5 or more.
ubtu22cis_pamd_pwhistory_remember: 5

# Control 5.4.2
## Control 5.4.2
# This can seriously break access to a system
## The end state the file /etc/pam.d/common-auth need to be understood
## If using external auth providers this will be very different
Expand All @@ -955,7 +957,7 @@ ubtu22cis_rule_5_4_2_faillock_config: |
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

# Control 5.4.4
## Control 5.4.4
# ubtu22cis_passwd_hash_algo is the hashing algorithm used
ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret
# Set pam as well as login defs if PAM is required
Expand Down
1 change: 1 addition & 0 deletions tasks/section_3/cis_3.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@
state: present
reload: true
ignoreerrors: true
when: ubtu22cis_ipv6_disable == 'sysctl'
notify:
- Flush ipv6 route table

Expand Down
2 changes: 2 additions & 0 deletions tasks/section_3/cis_3.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
state: present
reload: true
ignoreerrors: true
when: ubtu22cis_ipv6_disable == 'sysctl'
with_items:
- net.ipv6.conf.all.accept_source_route
- net.ipv6.conf.default.accept_source_route
Expand Down Expand Up @@ -66,6 +67,7 @@
state: present
reload: true
ignoreerrors: true
when: ubtu22cis_ipv6_disable == 'sysctl'
with_items:
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
Expand Down