ec2.inputs.yml

# This file specifies the attributes for the configurable controls
# used in the RHEL 7 DISA STIG.

# Controls that are known to consistently have long run times can be disabled with this attribute
disable_slow_controls: true

# V-72081 - 'monitor_kernel_log', (bool)
# Set this to false if your system availability concern is not documented or
# there is no monitoring of the kernel log
monitor_kernel_log: true

# V-71849
# list of system files that should be allowed to change from an rpm verify point of view
rpm_verify_perms_except: []

# V-71855
# list of system files that should be allowed to change from an rpm verify point of view
rpm_verify_integrity_except: []

# V-71859 (already set to true)
banner_message_enabled: true

# V-72211 (default: false)
log_aggregation_server: false

# V-72307
x11_enabled: false

# Accounts that are not allowed on the system (Array)
disallowed_accounts: ["games", "gopher", "ftp"]

# Accounts of known managed users (Array)
user_accounts: ["ec2-user"]

# System accounts that support approved system activities. (Array)
known_system_accounts:
  [
    "root",
    "bin",
    "daemon",
    "adm",
    "lp",
    "sync",
    "shutdown",
    "halt",
    "mail",
    "operator",
    "nobody",
    "systemd-bus-proxy",
    "ec2-user"
  ]

# V-71859/V-77819
# User to use to check dconf settings
# (Nil means to use whatever user is running inspec currently)
dconf_user: nil

#  You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
#  By using this IS (which includes any device attached to this IS), you consent to the following conditions:
#    - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
#    - At any time, the USG may inspect and seize data stored on this IS.
#    - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
#    - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
#    - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

# V-71861
# whitespace is ignored
banner_message_text_gui:
  "You are accessing a U.S. Government (USG) Information System (IS) that is \
  provided for USG-authorized use only. By using this IS (which includes any \
  device attached to this IS), you consent to the following conditions: -The USG \
  routinely intercepts and monitors communications on this IS for purposes \
  including, but not limited to, penetration testing, COMSEC monitoring, network \
  operations and defense, personnel misconduct (PM), law enforcement (LE), and \
  counterintelligence (CI) investigations. -At any time, the USG may inspect and \
  seize data stored on this IS. -Communications using, or data stored on, this \
  IS are not private, are subject to routine monitoring, interception, and \
  search, and may be disclosed or used for any USG-authorized purpose. -This IS \
  includes security measures (e.g., authentication and access controls) to \
  protect USG interests--not for your personal benefit or privacy. \
  -Notwithstanding the above, using this IS does not constitute consent to PM, \
  LE or CI investigative searching or monitoring of the content of privileged \
  communications, or work product, related to personal representation or \
  services by attorneys, psychotherapists, or clergy, and their assistants. Such \
  communications and work product are private and confidential. See User \
  Agreement for details."

banner_message_text_gui_limited: "I've read & consent to terms in IS user agreem't."

# V-71863
# whitespace is ignored
banner_message_text_cli:
  "You are accessing a U.S. Government (USG) Information System (IS) that is \
  provided for USG-authorized use only. By using this IS (which includes any \
  device attached to this IS), you consent to the following conditions: -The USG \
  routinely intercepts and monitors communications on this IS for purposes \
  including, but not limited to, penetration testing, COMSEC monitoring, network \
  operations and defense, personnel misconduct (PM), law enforcement (LE), and \
  counterintelligence (CI) investigations. -At any time, the USG may inspect and \
  seize data stored on this IS. -Communications using, or data stored on, this \
  IS are not private, are subject to routine monitoring, interception, and \
  search, and may be disclosed or used for any USG-authorized purpose. -This IS \
  includes security measures (e.g., authentication and access controls) to \
  protect USG interests--not for your personal benefit or privacy. \
  -Notwithstanding the above, using this IS does not constitute consent to PM, \
  LE or CI investigative searching or monitoring of the content of privileged \
  communications, or work product, related to personal representation or \
  services by attorneys, psychotherapists, or clergy, and their assistants. Such \
  communications and work product are private and confidential. See User \
  Agreement for details."

banner_message_text_cli_limited: "I've read & consent to terms in IS user agreem't."

# V-72225
# whitespace is ignored
banner_message_text_ral:
  "You are accessing a U.S. Government (USG) Information System (IS) that is \
  provided for USG-authorized use only. By using this IS (which includes any \
  device attached to this IS), you consent to the following conditions: -The USG \
  routinely intercepts and monitors communications on this IS for purposes \
  including, but not limited to, penetration testing, COMSEC monitoring, network \
  operations and defense, personnel misconduct (PM), law enforcement (LE), and \
  counterintelligence (CI) investigations. -At any time, the USG may inspect and \
  seize data stored on this IS. -Communications using, or data stored on, this \
  IS are not private, are subject to routine monitoring, interception, and \
  search, and may be disclosed or used for any USG-authorized purpose. -This IS \
  includes security measures (e.g., authentication and access controls) to \
  protect USG interests--not for your personal benefit or privacy. \
  -Notwithstanding the above, using this IS does not constitute consent to PM, \
  LE or CI investigative searching or monitoring of the content of privileged \
  communications, or work product, related to personal representation or \
  services by attorneys, psychotherapists, or clergy, and their assistants. Such \
  communications and work product are private and confidential. See User \
  Agreement for details."

banner_message_text_ral_limited: "I've read & consent to terms in IS user agreem't."

# V-71901
# The scereensaver lock-delay must be less than or equal to the specified value
lock_delay: 5

# V-71911
# minimum number of characters that must be different from previous password
difok: 8

# V-71933
# number of reuse generations
min_reuse_generations: 5

# V-71941
# (number of days)
days_of_inactivity: 0

# V-71943
# number of unsuccessful attempts
unsuccessful_attempts: 3
# interval of time in which the consecutive failed logon
# attempts must occur in order for the account to be locked out
# (time in seconds)
fail_interval: 900
# minimum amount of time account must be locked out after failed logins.
# this attribute should never be set greater than 604800.
# (time in seconds)
lockout_time: 604800

# V-71973
# name of tool
file_integrity_tool: "aide"
# (monthly, weekly, or daily)
file_integrity_interval: "weekly"

# V-72223
# (time in seconds)
system_activity_timeout: 600

# V-72237
# (time in seconds)
client_alive_interval: 600

# V-71965, V-72417, V-72433
# (enabled or disabled)
smart_card_status: "disabled"

# V-72051/V-72209
# The path to the logging package
log_pkg_path: "/etc/rsyslog.conf"

# V-72011, V-72015, V-72017, V-72019, V-72021, V-72023, V-72025
# V-72027, V-72029, V-72031, V-72033, V-72035, V-72037, V-72059
# Users exempt from home directory-based controls in array
# format
exempt_home_users: []

# V-71961
# main grub boot config file
grub_main_cfg: "/boot/grub2/grub.cfg"

# grub boot config files
grub_user_boot_files: ["/boot/grub2/user.cfg"]

# efi boot config files
efi_user_boot_files: ["/boot/efi/EFI/redhat/user.cfg"]

# main efi boot config file
efi_main_cfg: "/boot/efi/EFI/redhat/grub.cfg"

# V-71971
# system accounts that support approved system activities
admin_logins: []

# V-73159
# maximum number of times to prompt user for new password
max_retry: 3

# V-72417
# the list of packages needed for MFA on RHEL
mfa_pkg_list:
  [
    "nss-tools",
    "nss-pam-ldapd",
    "esc",
    "pam_pkcs11",
    "pam_krb5",
    "opensc",
    "pcsc-lite-ccid",
    "gdm",
    "authconfig",
    "authconfig-gtk",
    "krb5-libs",
    "krb5-workstation",
    "krb5-pkinit",
    "pcsc-lite",
    "pcsc-lite-libs",
  ]

# V-77819
# should dconf have smart card authentication
multifactor_enabled: false

# these shells do not allow a user to login
non_interactive_shells:
  [
    "/sbin/nologin",
    "/sbin/halt",
    "/sbin/shutdown",
    "/bin/false",
    "/bin/sync",
    "/bin/true",
  ]

# V-72059
# randomize virtual address space kernel parameter
randomize_va_space: 2

# V-72043
# file systems that don't correspond to removable media
non_removable_media_fs: ["xfs", "ext4", "swap", "tmpfs"]

# V-72317
# approved configured tunnels prepended with word 'conn'
# Example: ['conn myTunnel']
approved_tunnels: []

# V-72039
# Is the target expected to be a virtual machine
virtual_machine: true