forked from simp/inspec-profile-disa_stig-el7
-
Notifications
You must be signed in to change notification settings - Fork 1
/
attributes.nolong.yml
288 lines (242 loc) · 10.8 KB
/
attributes.nolong.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
# This file specifies the attributes for the configurable controls
# used in the RHEL 7 DISA STIG.
# Controls that are known to consistently have long run times can be disabled with this attribute
disable_slow_controls: true
# V-72081 - 'monitor_kernel_log', (bool)
# Set this to false if your system availability concern is not documented or
# there is no monitoring of the kernel log
monitor_kernel_log: true
# V-71849
# list of system files that should be allowed to change from an rpm verify point of view
rpm_verify_perms_except: []
# V-71855
# list of system files that should be allowed to change from an rpm verify point of view
rpm_verify_integrity_except: []
# V-71859 (already set to true)
banner_message_enabled: 'true'
# V-72211 (default: false)
log_aggregation_server: false
# V-72047 (default: [])
# Known application groups that are allowed to have world-writeable files or directories
application_groups: []
# V-72307
x11_enabled: false
# Accounts that are not allowed on the system (Array)
disallowed_accounts: [
'games',
'gopher',
'ftp',
]
# Accounts of known managed users (Array)
user_accounts: []
# System accounts that support approved system activities. (Array)
known_system_accounts: [
'root',
'bin',
'daemon',
'adm',
'lp',
'sync',
'shutdown',
'halt',
'mail',
'operator',
'nobody',
'systemd-bus-proxy',
'systemd-network',
'dbus',
'polkitd',
'tss', # Account used by the trousers package to sandbox the tcsd daemon
'postfix', # Service Account for Postfix Mail Daemon
'chrony', # Service Account for the Chrony Time Service
'sshd', # Service Account for SSH
'sssd', # Service Account for the SSSH Authentication service
'rpc', # Service Account RPCBind Daemon
'ntp', # Service Account for NTPD Daemon
'vboxadd', # known Virtualbox user
'nfsnobody', # service account for nsfd
'vagrant', # known service account for vagrant / Virtualbox
'rpcuser', # known centos system account for nsf
]
# V-71859/V-77819
# User to use to check dconf settings
# (empty string means to use whatever user is running inspec currently)
dconf_user: ''
# You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
# By using this IS (which includes any device attached to this IS), you consent to the following conditions:
# - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
# - At any time, the USG may inspect and seize data stored on this IS.
# - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
# - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
# - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
# V-71861
# whitespace is ignored
banner_message_text_gui:
"You are accessing a U.S. Government (USG) Information System (IS) that is \
provided for USG-authorized use only. By using this IS (which includes any \
device attached to this IS), you consent to the following conditions: -The USG \
routinely intercepts and monitors communications on this IS for purposes \
including, but not limited to, penetration testing, COMSEC monitoring, network \
operations and defense, personnel misconduct (PM), law enforcement (LE), and \
counterintelligence (CI) investigations. -At any time, the USG may inspect and \
seize data stored on this IS. -Communications using, or data stored on, this \
IS are not private, are subject to routine monitoring, interception, and \
search, and may be disclosed or used for any USG-authorized purpose. -This IS \
includes security measures (e.g., authentication and access controls) to \
protect USG interests--not for your personal benefit or privacy. \
-Notwithstanding the above, using this IS does not constitute consent to PM, \
LE or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or \
services by attorneys, psychotherapists, or clergy, and their assistants. Such \
communications and work product are private and confidential. See User \
Agreement for details."
banner_message_text_gui_limited: "I've read & consent to terms in IS user agreem't."
# V-71863
# whitespace is ignored
banner_message_text_cli:
"You are accessing a U.S. Government (USG) Information System (IS) that is \
provided for USG-authorized use only. By using this IS (which includes any \
device attached to this IS), you consent to the following conditions: -The USG \
routinely intercepts and monitors communications on this IS for purposes \
including, but not limited to, penetration testing, COMSEC monitoring, network \
operations and defense, personnel misconduct (PM), law enforcement (LE), and \
counterintelligence (CI) investigations. -At any time, the USG may inspect and \
seize data stored on this IS. -Communications using, or data stored on, this \
IS are not private, are subject to routine monitoring, interception, and \
search, and may be disclosed or used for any USG-authorized purpose. -This IS \
includes security measures (e.g., authentication and access controls) to \
protect USG interests--not for your personal benefit or privacy. \
-Notwithstanding the above, using this IS does not constitute consent to PM, \
LE or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or \
services by attorneys, psychotherapists, or clergy, and their assistants. Such \
communications and work product are private and confidential. See User \
Agreement for details."
banner_message_text_cli_limited: "I've read & consent to terms in IS user agreem't."
# V-72225
# whitespace is ignored
banner_message_text_ral:
"You are accessing a U.S. Government (USG) Information System (IS) that is \
provided for USG-authorized use only. By using this IS (which includes any \
device attached to this IS), you consent to the following conditions: -The USG \
routinely intercepts and monitors communications on this IS for purposes \
including, but not limited to, penetration testing, COMSEC monitoring, network \
operations and defense, personnel misconduct (PM), law enforcement (LE), and \
counterintelligence (CI) investigations. -At any time, the USG may inspect and \
seize data stored on this IS. -Communications using, or data stored on, this \
IS are not private, are subject to routine monitoring, interception, and \
search, and may be disclosed or used for any USG-authorized purpose. -This IS \
includes security measures (e.g., authentication and access controls) to \
protect USG interests--not for your personal benefit or privacy. \
-Notwithstanding the above, using this IS does not constitute consent to PM, \
LE or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or \
services by attorneys, psychotherapists, or clergy, and their assistants. Such \
communications and work product are private and confidential. See User \
Agreement for details."
banner_message_text_ral_limited: "I've read & consent to terms in IS user agreem't."
# V-71901
# The scereensaver lock-delay must be less than or equal to the specified value
lock_delay: 5
# V-71911
# minimum number of characters that must be different from previous password
difok: 8
# V-71933
# number of reuse generations
min_reuse_generations: 5
# V-71935
# (number of characters)
min_len: 15
# V-71941
# (number of days)
days_of_inactivity: 0
# V-71943
# number of unsuccessful attempts
unsuccessful_attempts: 3
# interval of time in which the consecutive failed logon
# attempts must occur in order for the account to be locked out
# (time in seconds)
fail_interval: 900
# minimum amount of time account must be locked out after failed logins.
# this attribute should never be set greater than 604800.
# (time in seconds)
lockout_time: 604800
# V-71973
# name of tool
file_integrity_tool: 'aide'
# (monthly, weekly, or daily)
file_integrity_interval: 'weekly'
# V-72223
# (time in seconds)
system_activity_timeout: 600
# V-72237
# (time in seconds)
client_alive_interval: 600
# V-71965, V-72417, V-72433
# (enabled or disabled)
smart_card_status: 'enabled'
# V-72051/V-72209
# The path to the logging package
log_pkg_path: '/etc/rsyslog.conf'
# V-72011, V-72015, V-72017, V-72019, V-72021, V-72023, V-72025
# V-72027, V-72029, V-72031, V-72033, V-72035, V-72037, V-72059
# Users exempt from home directory-based controls in array
# format
exempt_home_users: []
# V-71961
# main grub boot config file
grub_main_cfg: '/boot/grub2/grub.cfg'
# superusers for grub boot ( array )
grub_superusers: ['root']
# grub boot config files
grub_user_boot_files: ['/boot/grub2/user.cfg']
# V-71963
# superusers for efi boot ( array )
efi_superusers: ['root']
# efi boot config files
efi_user_boot_files: ['/boot/efi/EFI/redhat/user.cfg']
# main efi boot config file
efi_main_cfg: '/boot/efi/EFI/redhat/grub.cfg'
# V-71971
# system accounts that support approved system activities
admin_logins: []
# V-73159
# maximum number of times to prompt user for new password
max_retry: 3
# V-72417
# the list of packages needed for MFA on RHEL
mfa_pkg_list: [
'nss-tools',
'nss-pam-ldapd',
'esc',
'pam_pkcs11',
'pam_krb5',
'opensc',
'pcsc-lite-ccid',
'gdm',
'authconfig',
'authconfig-gtk',
'krb5-libs',
'krb5-workstation',
'krb5-pkinit',
'pcsc-lite',
'pcsc-lite-libs'
]
# V-77819
# should dconf have smart card authentication
multifactor_enabled: 'true'
# these shells do not allow a user to login
non_interactive_shells: ["/sbin/nologin", "/sbin/halt", "/sbin/shutdown", "/bin/false", "/bin/sync", "/bin/true"]
# V-72059
# randomize virtual address space kernel parameter
randomize_va_space: 2
# V-72043
# file systems that don't correspond to removable media
non_removable_media_fs: ['xfs', 'ext4', 'swap', 'tmpfs']
# V-72317
# approved configured tunnels prepended with word 'conn'
# Example: ['conn myTunnel']
approved_tunnels: []
# V-72039
# Is the target expected to be a virtual machine
virtual_machine: false