forked from mosen/cis-benchmark-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
151 lines (134 loc) · 2.71 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
cis-benchmark:
lookup: -
update: True
# 1.3.1, 1.3.2 - Install and configure AIDE
aide: True
# 1.4.2 - Enable SELinux if true
selinux: True
# 4.5 Install and configure TCPWrappers if true
tcpwrappers: True
# 5.1 Use rsyslog instead of syslogd
rsyslog: True
# Used for tcp wrappers and possibly firewall rules in future
internal_subnets:
- 192.168.1.0/24
- 172.16.0.0/16
- 10.0.0.0/8
# The following sysctl variables will be set to one (1).
sysctl_enable:
# 4.2.4
- net.ipv4.conf.all.log_martians
- net.ipv4.conf.default.log_martians
# 4.2.5
- net.ipv4.icmp_echo_ignore_broadcasts
# 4.2.6
- net.ipv4.icmp_ignore_bogus_error_responses
# 4.2.7
- net.ipv4.conf.all.rp_filter
- net.ipv4.conf.default.rp_filter
# 4.2.8
- net.ipv4.tcp_syncookies
# 4.4.2
- net.ipv6.conf.all.disable_ipv6
# The following sysctl variables will be set to zero.
sysctl_disable:
# 1.6.1
- fs.suid_dumpable
# 4.1.1
- net.ipv4.ip_forward
# 4.1.2
- net.ipv4.conf.all.send_redirects
- net.ipv4.conf.default.send_redirects
# 4.2.1
- net.ipv4.conf.all.accept_source_route
- net.ipv4.conf.default.accept_source_route
# 4.2.2
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
# 4.2.3
- net.ipv4.conf.all.secure_redirects
- net.ipv4.conf.default.secure_redirects
# 4.4.1
- net.ipv6.conf.all.accept_ra
- net.ipv6.conf.default.accept_ra
# 4.4.1.2
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
services_disable:
# 2.1.12
- chargen-dgram
# 2.1.13
- chargen-stream
# 2.1.14
- daytime-dgram
# 2.1.15
- daytime-stream
# 2.1.16
- echo-dgram
# 2.1.17
- echo-stream
# 2.1.18
- tcpmux-server
# 3.3
- avahi-daemon
# 3.4
- cups
# 3.8
- nfslock
- rpcgssd
- rpcbind
- rpcidmapd
- rpcsvcgssd
services_enable:
# 4.7
- firewalld
# 6.1.2
- crond
pkgs_remove:
# 1.4.4
- setroubleshoot
# 1.4.5
- mcstrans
# 2.1.1
- telnet-server
# 2.1.2
- telnet
# 2.1.3
- rsh-server
# 2.1.4
- rsh
# 2.1.5
- ypbind
# 2.1.6
- ypserv
# 2.1.7
- tftp
# 2.1.8
- tftp-server
# 2.1.9
- talk
# 2.1.10
- talk-server
# 2.1.11
- xinetd
# 3.2
- xorg-x11-server-common
# 3.5
- dhcp
# 3.7
- openldap-servers
- openldap-clients
# 3.9
- bind
# 3.10
- vsftpd
# 3.11
- httpd
# 3.12
- dovecot
# 3.13
- samba
# 3.14
- squid
# 3.15
- net-snmp