---

## Switching on/off specific baseline sections
# These variables govern whether the tasks of a particular section are to be executed when running the role.
# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false".
ubtu24cis_section1: true
ubtu24cis_section2: true
ubtu24cis_section3: true
ubtu24cis_section4: true
ubtu24cis_section5: true
ubtu24cis_section6: true
ubtu24cis_section7: true

## Reboot system before audit
# System will reboot if false, can give better audit results
skip_reboot: true

## Benchmark name and profiles used by auditing control role
# The audit variable found at the base
benchmark: UBUNTU24-CIS
benchmark_version: v1.0.0

# Used for audit
ubtu24cis_level_1: true
ubtu24cis_level_2: true

## Possibly disruptive tasks
# This variable governs whether tasks of a potentially disruptive nature on your system
# (e.g., removing .forward and .netrc files for interactive users) are carried out.
# If you set this variable to "true", the role will carry such tasks; if you set it to
# "false", these tasks will be skipped.
ubtu24cis_disruption_high: true

## Unrestricted boot
# Setting this variable to false enables the system to
# boot *without* querying for the bootloader password.
ubtu24cis_ask_passwd_to_boot: false

## Usage on containerized images
# The role discovers dynamically (in tasks/main.yml) whether it
# is executed on a container image and sets the variable
# system_is_container the true. Otherwise, the default value
# 'false' is left unchanged.
container_vars_file: is_container.yml

## Root user used
# Root by default is not used unless setup by user
# The role will only run certain commands if set to true
# This allows the ability to skip tasks that may cause an issue
ubtu24cis_uses_root: false

###
### Settings for associated Audit role using Goss
###

###########################################
### Goss is required on the remote host ###
### vars/auditd.yml for other settings  ###

# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
setup_audit: false

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true

## Only run Audit do not remediate
audit_only: false
### As part of audit_only ###
# This will enable files to be copied back to control node in audit_only mode
fetch_audit_files: false
# Path to copy the files to will create dir structure in audit_only mode
audit_capture_files_dir: /some/location to copy to on control node
#############################

# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
get_audit_binary_method: download

## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path

# how to get audit files onto host options
# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
audit_content: git

# If using either archive, copy, get_url:
## Note will work with .tar files - zip will require extra configuration
### If using get_url this is expecting github url in tar.gz format e.g.
### https://github.com/ansible-lockdown/UBUNTU24-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
audit_conf_source: "some path or url to copy from"

# Destination for the audit content to be placed on managed node
# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
audit_conf_dest: "/opt"

# Where the audit logs are stored
audit_log_dir: '/opt'

### Goss Settings ##
####### END ########

## Running in EC2 pipeline
# Skip events for EC2 instance testing pipeline.
# This variable is set to true for automated tests
# carried out for this role by the role maintainers.
system_is_ec2: false

##
## Rule-specific switches
##
## Use the switches below to disable specific rules independently of the chosen profile
##

## Section 1 Fixes
# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings,
# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager)

# 1.1 Filesystems
# 1.1.1 Configure Filesystem Kernel Modules
ubtu24cis_rule_1_1_1_1: true
ubtu24cis_rule_1_1_1_2: true
ubtu24cis_rule_1_1_1_3: true
ubtu24cis_rule_1_1_1_4: true
ubtu24cis_rule_1_1_1_5: true
ubtu24cis_rule_1_1_1_6: true
ubtu24cis_rule_1_1_1_7: true
ubtu24cis_rule_1_1_1_8: true
ubtu24cis_rule_1_1_1_9: true
ubtu24cis_rule_1_1_1_10: true

# 1.1.2 Configure Filesystem Partitions
# /tmp
ubtu24cis_rule_1_1_2_1_1: true
ubtu24cis_rule_1_1_2_1_2: true
ubtu24cis_rule_1_1_2_1_3: true
ubtu24cis_rule_1_1_2_1_4: true

# /dev/shm
ubtu24cis_rule_1_1_2_2_1: true
ubtu24cis_rule_1_1_2_2_2: true
ubtu24cis_rule_1_1_2_2_3: true
ubtu24cis_rule_1_1_2_2_4: true

# /home
ubtu24cis_rule_1_1_2_3_1: true
ubtu24cis_rule_1_1_2_3_2: true
ubtu24cis_rule_1_1_2_3_3: true

# /var
ubtu24cis_rule_1_1_2_4_1: true
ubtu24cis_rule_1_1_2_4_2: true
ubtu24cis_rule_1_1_2_4_3: true

# /var/tmp
ubtu24cis_rule_1_1_2_5_1: true
ubtu24cis_rule_1_1_2_5_2: true
ubtu24cis_rule_1_1_2_5_3: true
ubtu24cis_rule_1_1_2_5_4: true

# /var/log
ubtu24cis_rule_1_1_2_6_1: true
ubtu24cis_rule_1_1_2_6_2: true
ubtu24cis_rule_1_1_2_6_3: true
ubtu24cis_rule_1_1_2_6_4: true

# /var/log/audit
ubtu24cis_rule_1_1_2_7_1: true
ubtu24cis_rule_1_1_2_7_2: true
ubtu24cis_rule_1_1_2_7_3: true
ubtu24cis_rule_1_1_2_7_4: true

# 1.2 Package mgmt
# 1.2.1 Configure Package repositories
ubtu24cis_rule_1_2_1_1: true
ubtu24cis_rule_1_2_1_2: true
# 1.2.2 Configure Package updates
ubtu24cis_rule_1_2_2_1: true

# 1.3 Mandatory Access Control
## 1.3.1 Configure AppArmor
ubtu24cis_rule_1_3_1_1: true
ubtu24cis_rule_1_3_1_2: true
ubtu24cis_rule_1_3_1_3: true
ubtu24cis_rule_1_3_1_4: true

# 1.4 Configure Bootloader
ubtu24cis_rule_1_4_1: true
ubtu24cis_rule_1_4_2: true

# 1.5 Configure additional Process Hardening
ubtu24cis_rule_1_5_1: true
ubtu24cis_rule_1_5_2: true
ubtu24cis_rule_1_5_3: true
ubtu24cis_rule_1_5_4: true
ubtu24cis_rule_1_5_5: true

# 1.6 Configure Command Line Warning Banners
ubtu24cis_rule_1_6_1: true
ubtu24cis_rule_1_6_2: true
ubtu24cis_rule_1_6_3: true
ubtu24cis_rule_1_6_4: true
ubtu24cis_rule_1_6_5: true
ubtu24cis_rule_1_6_6: true

# 1.7 Configure GNOME Display Manager
ubtu24cis_rule_1_7_1: true
ubtu24cis_rule_1_7_2: true
ubtu24cis_rule_1_7_3: true
ubtu24cis_rule_1_7_4: true
ubtu24cis_rule_1_7_5: true
ubtu24cis_rule_1_7_6: true
ubtu24cis_rule_1_7_7: true
ubtu24cis_rule_1_7_8: true
ubtu24cis_rule_1_7_9: true
ubtu24cis_rule_1_7_10: true

## Section 2 Fixes
# Section 2 is Services (Special Purpose Services, and service clients)

# 2.1 Configure Server Services
ubtu24cis_rule_2_1_1: true
ubtu24cis_rule_2_1_2: true
ubtu24cis_rule_2_1_3: true
ubtu24cis_rule_2_1_4: true
ubtu24cis_rule_2_1_5: true
ubtu24cis_rule_2_1_6: true
ubtu24cis_rule_2_1_7: true
ubtu24cis_rule_2_1_8: true
ubtu24cis_rule_2_1_9: true
ubtu24cis_rule_2_1_10: true
ubtu24cis_rule_2_1_11: true
ubtu24cis_rule_2_1_12: true
ubtu24cis_rule_2_1_13: true
ubtu24cis_rule_2_1_14: true
ubtu24cis_rule_2_1_15: true
ubtu24cis_rule_2_1_16: true
ubtu24cis_rule_2_1_17: true
ubtu24cis_rule_2_1_18: true
ubtu24cis_rule_2_1_19: true
ubtu24cis_rule_2_1_20: true
ubtu24cis_rule_2_1_21: true
ubtu24cis_rule_2_1_22: true

# 2.2 Configure client services
ubtu24cis_rule_2_2_1: true
ubtu24cis_rule_2_2_2: true
ubtu24cis_rule_2_2_3: true
ubtu24cis_rule_2_2_4: true
ubtu24cis_rule_2_2_5: true
ubtu24cis_rule_2_2_6: true

# Ensure time synchronization is in use
ubtu24cis_rule_2_3_1_1: true
# Configure systemd-timesyncd
ubtu24cis_rule_2_3_2_1: true
ubtu24cis_rule_2_3_2_2: true
# Configure Chrony
ubtu24cis_rule_2_3_3_1: true
ubtu24cis_rule_2_3_3_2: true
ubtu24cis_rule_2_3_3_3: true

# 2.4 Job Schedulers
# 2.4.1 Configure Cron
ubtu24cis_rule_2_4_1_1: true
ubtu24cis_rule_2_4_1_2: true
ubtu24cis_rule_2_4_1_3: true
ubtu24cis_rule_2_4_1_4: true
ubtu24cis_rule_2_4_1_5: true
ubtu24cis_rule_2_4_1_6: true
ubtu24cis_rule_2_4_1_7: true
ubtu24cis_rule_2_4_1_8: true
# Configure At
ubtu24cis_rule_2_4_2_1: true

## Section 3 Network Configuration
# 3.1 Configure Network Devices
ubtu24cis_rule_3_1_1: true
ubtu24cis_rule_3_1_2: true
ubtu24cis_rule_3_1_3: true
# 3.2 Configure Network Kernel Modules (Host Only)
ubtu24cis_rule_3_2_1: true
ubtu24cis_rule_3_2_2: true
ubtu24cis_rule_3_2_3: true
ubtu24cis_rule_3_2_4: true
# 3.3 Configure Network Kernel Parameters (Host and Router)
ubtu24cis_rule_3_3_1: true
ubtu24cis_rule_3_3_2: true
ubtu24cis_rule_3_3_3: true
ubtu24cis_rule_3_3_4: true
ubtu24cis_rule_3_3_5: true
ubtu24cis_rule_3_3_6: true
ubtu24cis_rule_3_3_7: true
ubtu24cis_rule_3_3_8: true
ubtu24cis_rule_3_3_9: true
ubtu24cis_rule_3_3_10: true
ubtu24cis_rule_3_3_11: true

## Section 4 Host Based Firewall

# 4.1 single firewall
ubtu24cis_rule_4_1_1: true

# 4.2 Configure UncomplicatedFirewall
ubtu24cis_rule_4_2_1: true
ubtu24cis_rule_4_2_2: true
ubtu24cis_rule_4_2_3: true
ubtu24cis_rule_4_2_4: true
ubtu24cis_rule_4_2_5: true
ubtu24cis_rule_4_2_6: true
ubtu24cis_rule_4_2_7: true
# 4.3 Configure nftables
ubtu24cis_rule_4_3_1: true
ubtu24cis_rule_4_3_2: true
ubtu24cis_rule_4_3_3: true
ubtu24cis_rule_4_3_4: true
ubtu24cis_rule_4_3_5: true
ubtu24cis_rule_4_3_6: true
ubtu24cis_rule_4_3_7: true
ubtu24cis_rule_4_3_8: true
ubtu24cis_rule_4_3_9: true
ubtu24cis_rule_4_3_10: true

# 4.4.1 Configure iptables software
ubtu24cis_rule_4_4_1_1: true
ubtu24cis_rule_4_4_1_2: true
ubtu24cis_rule_4_4_1_3: true

# 4.4.2 Configure IPv4 iptables
ubtu24cis_rule_4_4_2_1: true
ubtu24cis_rule_4_4_2_2: true
ubtu24cis_rule_4_4_2_3: true
ubtu24cis_rule_4_4_2_4: true
# 4.4.3 Configure IPv6 iptables
ubtu24cis_rule_4_4_3_1: true
ubtu24cis_rule_4_4_3_2: true
ubtu24cis_rule_4_4_3_3: true
ubtu24cis_rule_4_4_3_4: true

## Section 5 Access Control
# 5.1 Configure SSH Server
ubtu24cis_rule_5_1_1: true
ubtu24cis_rule_5_1_2: true
ubtu24cis_rule_5_1_3: true
ubtu24cis_rule_5_1_4: true
ubtu24cis_rule_5_1_5: true
ubtu24cis_rule_5_1_6: true
ubtu24cis_rule_5_1_7: true
ubtu24cis_rule_5_1_8: true
ubtu24cis_rule_5_1_9: true
ubtu24cis_rule_5_1_10: true
ubtu24cis_rule_5_1_11: true
ubtu24cis_rule_5_1_12: true
ubtu24cis_rule_5_1_13: true
ubtu24cis_rule_5_1_14: true
ubtu24cis_rule_5_1_15: true
ubtu24cis_rule_5_1_16: true
ubtu24cis_rule_5_1_17: true
ubtu24cis_rule_5_1_18: true
ubtu24cis_rule_5_1_19: true
ubtu24cis_rule_5_1_20: true
ubtu24cis_rule_5_1_21: true
ubtu24cis_rule_5_1_22: true
# 5.2 Configure privilege escalation
ubtu24cis_rule_5_2_1: true
ubtu24cis_rule_5_2_2: true
ubtu24cis_rule_5_2_3: true
ubtu24cis_rule_5_2_4: true
ubtu24cis_rule_5_2_5: true
ubtu24cis_rule_5_2_6: true
ubtu24cis_rule_5_2_7: true
# 5.3.1 Configure PAM software packages
ubtu24cis_rule_5_3_1_1: true
ubtu24cis_rule_5_3_1_2: true
ubtu24cis_rule_5_3_1_3: true
# 5.3.2 Configure pam-auth-update profiles
ubtu24cis_rule_5_3_2_1: true
ubtu24cis_rule_5_3_2_2: true
ubtu24cis_rule_5_3_2_3: true
ubtu24cis_rule_5_3_2_4: true
# 5.3.3.1 Configure pam_faillock module
ubtu24cis_rule_5_3_3_1_1: true
ubtu24cis_rule_5_3_3_1_2: true
ubtu24cis_rule_5_3_3_1_3: true
# 5.3.3.2 Configure pam_quality module
ubtu24cis_rule_5_3_3_2_1: true
ubtu24cis_rule_5_3_3_2_2: true
ubtu24cis_rule_5_3_3_2_3: true
ubtu24cis_rule_5_3_3_2_4: true
ubtu24cis_rule_5_3_3_2_5: true
ubtu24cis_rule_5_3_3_2_6: true
ubtu24cis_rule_5_3_3_2_7: true
ubtu24cis_rule_5_3_3_2_8: true
# 5.3.3.3 Configure pam_history module
# This are added as part of 5.3.2.4 using jinja2 template
ubtu24cis_rule_5_3_3_3_1: true
ubtu24cis_rule_5_3_3_3_2: true
ubtu24cis_rule_5_3_3_3_3: true
# 5.3.3.4 Configure pam_unix module
ubtu24cis_rule_5_3_3_4_1: true
ubtu24cis_rule_5_3_3_4_2: true
ubtu24cis_rule_5_3_3_4_3: true
ubtu24cis_rule_5_3_3_4_4: true
# 5.4 User Accounts and Environment
# 5.4.1 Configure shadow password suite parameters
ubtu24cis_rule_5_4_1_1: true
ubtu24cis_rule_5_4_1_2: true
ubtu24cis_rule_5_4_1_3: true
ubtu24cis_rule_5_4_1_4: true
ubtu24cis_rule_5_4_1_5: true
ubtu24cis_rule_5_4_1_6: true
# 5.4.2 Configure root and system accounts and environment
ubtu24cis_rule_5_4_2_1: true
ubtu24cis_rule_5_4_2_2: true
ubtu24cis_rule_5_4_2_3: true
ubtu24cis_rule_5_4_2_4: true
ubtu24cis_rule_5_4_2_5: true
ubtu24cis_rule_5_4_2_6: true
ubtu24cis_rule_5_4_2_7: true
ubtu24cis_rule_5_4_2_8: true
# 5.4.2 Configure user default environment
ubtu24cis_rule_5_4_3_1: true
ubtu24cis_rule_5_4_3_2: true
ubtu24cis_rule_5_4_3_3: true

## Section 6

# 6.2.1.x Configure systemd-journald service
ubtu24cis_rule_6_1_1_1: true
ubtu24cis_rule_6_1_1_2: true
ubtu24cis_rule_6_1_1_3: true
ubtu24cis_rule_6_1_1_4: true
# 6.1.2.1 Configure journald
ubtu24cis_rule_6_1_2_1_1: true
ubtu24cis_rule_6_1_2_1_2: true
ubtu24cis_rule_6_1_2_1_3: true
ubtu24cis_rule_6_1_2_1_4: true
ubtu24cis_rule_6_1_2_2: true
ubtu24cis_rule_6_1_2_3: true
ubtu24cis_rule_6_1_2_4: true
# 6.1.3 Configure rsyslog
ubtu24cis_rule_6_1_3_1: true
ubtu24cis_rule_6_1_3_2: true
ubtu24cis_rule_6_1_3_3: true
ubtu24cis_rule_6_1_3_4: true
ubtu24cis_rule_6_1_3_5: true
ubtu24cis_rule_6_1_3_6: true
ubtu24cis_rule_6_1_3_7: true
# 6.1.3.8 logrotate
ubtu24cis_rule_6_1_3_8: true
# 6.1.4.1 configure logfiles
ubtu24cis_rule_6_1_4_1: true
# 6.2.1 Configure auditd services
ubtu24cis_rule_6_2_1_1: true
ubtu24cis_rule_6_2_1_2: true
ubtu24cis_rule_6_2_1_3: true
ubtu24cis_rule_6_2_1_4: true
# 6.2.2 Configure auditd data retention
ubtu24cis_rule_6_2_2_1: true
ubtu24cis_rule_6_2_2_2: true
ubtu24cis_rule_6_2_2_3: true
ubtu24cis_rule_6_2_2_4: true
# 6.2.3 Configure auditd rules
ubtu24cis_rule_6_2_3_1: true
ubtu24cis_rule_6_2_3_2: true
ubtu24cis_rule_6_2_3_3: true
ubtu24cis_rule_6_2_3_4: true
ubtu24cis_rule_6_2_3_5: true
ubtu24cis_rule_6_2_3_6: true
ubtu24cis_rule_6_2_3_7: true
ubtu24cis_rule_6_2_3_8: true
ubtu24cis_rule_6_2_3_9: true
ubtu24cis_rule_6_2_3_10: true
ubtu24cis_rule_6_2_3_11: true
ubtu24cis_rule_6_2_3_12: true
ubtu24cis_rule_6_2_3_13: true
ubtu24cis_rule_6_2_3_14: true
ubtu24cis_rule_6_2_3_15: true
ubtu24cis_rule_6_2_3_16: true
ubtu24cis_rule_6_2_3_17: true
ubtu24cis_rule_6_2_3_18: true
ubtu24cis_rule_6_2_3_19: true
ubtu24cis_rule_6_2_3_20: true
ubtu24cis_rule_6_2_3_21: true
# 6.2.4 Configure audit file access
ubtu24cis_rule_6_2_4_1: true
ubtu24cis_rule_6_2_4_2: true
ubtu24cis_rule_6_2_4_3: true
ubtu24cis_rule_6_2_4_4: true
ubtu24cis_rule_6_2_4_5: true
ubtu24cis_rule_6_2_4_6: true
ubtu24cis_rule_6_2_4_7: true
ubtu24cis_rule_6_2_4_8: true
ubtu24cis_rule_6_2_4_9: true
ubtu24cis_rule_6_2_4_10: true
# 6.3 Configure Filesystem Integrity Checking
ubtu24cis_rule_6_3_1: true
ubtu24cis_rule_6_3_2: true
ubtu24cis_rule_6_3_3: true

## Section 7
# 7.1 System File Permissions
ubtu24cis_rule_7_1_1: true
ubtu24cis_rule_7_1_2: true
ubtu24cis_rule_7_1_3: true
ubtu24cis_rule_7_1_4: true
ubtu24cis_rule_7_1_5: true
ubtu24cis_rule_7_1_6: true
ubtu24cis_rule_7_1_7: true
ubtu24cis_rule_7_1_8: true
ubtu24cis_rule_7_1_9: true
ubtu24cis_rule_7_1_10: true
ubtu24cis_rule_7_1_11: true
ubtu24cis_rule_7_1_12: true
ubtu24cis_rule_7_1_13: true
# 7.2 Local User and Group Settings
ubtu24cis_rule_7_2_1: true
ubtu24cis_rule_7_2_2: true
ubtu24cis_rule_7_2_3: true
ubtu24cis_rule_7_2_4: true
ubtu24cis_rule_7_2_5: true
ubtu24cis_rule_7_2_6: true
ubtu24cis_rule_7_2_7: true
ubtu24cis_rule_7_2_8: true
ubtu24cis_rule_7_2_9: true
ubtu24cis_rule_7_2_10: true

##
## Service configuration variables.
##
## Set the respective variable to true to keep the service.
## otherwise the service is stopped and disabled
##
# Service configuration
# Options are
# true to leave installed if exists not changes take place
# false - this removes the package
# mask - if a dependancy for product so cannot be removed
# Server Services
ubtu24cis_autofs_services: false
ubtu24cis_autofs_mask: false
ubtu24cis_avahi_server: false
ubtu24cis_avahi_mask: false
ubtu24cis_dhcp_server: false
ubtu24cis_dhcp_mask: false
ubtu24cis_dns_server: false
ubtu24cis_dns_mask: false
ubtu24cis_dnsmasq_server: false
ubtu24cis_dnsmasq_mask: false
ubtu24cis_ftp_server: false
ubtu24cis_ftp_mask: false
ubtu24cis_ldap_server: false
ubtu24cis_ldap_mask: false
ubtu24cis_message_server: false  # This is for messaging dovecot and cyrus-imap
ubtu24cis_message_mask: false
ubtu24cis_nfs_server: true
ubtu24cis_nfs_mask: true
ubtu24cis_nis_server: true  # set to mask if nis client required
ubtu24cis_nis_mask: false
ubtu24cis_print_server: false  # replaces cups
ubtu24cis_print_mask: false
ubtu24cis_rpc_server: true
ubtu24cis_rpc_mask: true
ubtu24cis_rsync_server: false
ubtu24cis_rsync_mask: false
ubtu24cis_samba_server: false
ubtu24cis_samba_mask: false
ubtu24cis_snmp_server: false
ubtu24cis_snmp_mask: false
ubtu24cis_telnet_server: false
ubtu24cis_telnet_mask: false
ubtu24cis_tftp_server: false
ubtu24cis_tftp_mask: false
ubtu24cis_squid_server: false
ubtu24cis_squid_mask: false
ubtu24cis_apache2_server: false
ubtu24cis_apache2_mask: false
ubtu24cis_nginx_server: false
ubtu24cis_nginx_mask: false
ubtu24cis_xinetd_server: false
ubtu24cis_xinetd_mask: false
ubtu24cis_xwindow_server: false  # will remove mask not an option
ubtu24cis_is_mail_server: false

# Client Services
ubtu24cis_nis_client_required: false  # Same package as NIS server
ubtu24cis_rsh_client: false
ubtu24cis_talk_client: false
ubtu24cis_telnet_required: false
ubtu24cis_ldap_clients_required: false
ubtu24cis_ftp_client: false

## System functionality configuration variables
##
## There are certain functionalities of a system
## that may require either to skip certain CIS rules
## or install certain packages.
## Set the respective variable to `true` in order to
## enable a certain functionality on the system

# This variable governs whether specific CIS rules
# concerned with acceptance and routing of packages
# are skipped.
ubtu24cis_is_router: false

## IPv4 requirement toggle
# This variable governs whether ipv4 is enabled or disabled.
ubtu24cis_ipv4_required: true

## IPv6 requirement toggle
# This variable governs whether ipv6 is enabled or disabled.
ubtu24cis_ipv6_required: false

## Desktop requirement toggle
# This variable governs, whether CIS rules regarding GDM
# and X-Windows are carried out.
ubtu24cis_desktop_required: false

## Purge apt packages
# This will allow the purging of any packages that are marked to be removed
# This will also purge any packages not removed via this playbook
ubtu24cis_purge_apt: false

##
## Section 1 Control Variables
##

## Ability to enabe debug on mounts to assist in troubleshooting
# Mount point changes are set based upon facts created in Prelim
# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
ubtu24cis_debug_mount_data: false

## Control 1.1.2
# If set to `true`, rule will be implemented using the `tmp.mount` systemd-service,
# otherwise fstab configuration will be used.
# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards.
ubtu24cis_tmp_svc: false

## Controls 1.3.1.x - apparmor
# AppArmor security policies define what system resources applications can access and their privileges.
# This automatically limits the damage that the software can do to files accessible by the calling user.
# The following variables are related to the set of rules from section 1.6.1.x

## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode

# This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4
# regarding enforcing profiles or putting them in complain mode
ubtu24cis_apparmor_disable: false

# This variable specifies whether enforce mode or complain  mode is set in Control 1.3.1.3.
# Possible values are `enforce` and `complain`.
# ATTENTION: if Control 1.3.1.4 is run (e.g., when running level 2 rules), it OVERRIDES control 1.3.1.3
# and sets `enforce` mode, no matter what this variable's value is.
ubtu24cis_apparmor_mode: complain

## Controls 1.4.x - Boot password
#
# THIS VARIABLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT
# THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
ubtu24cis_grub_user: root
ubtu24cis_set_grub_user_pass: false
ubtu24cis_grub_user_file: /etc/grub.d/00_user
ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword"  # pragma: allowlist secret
ubtu24cis_set_boot_pass: false

ubtu24cis_grub_file: /boot/grub/grub.cfg

## Controls 1.5.x
# Ability to set file in which the kernel systcl changes are placed
ubtu24cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf

# 1.5.2 Ability to choose ptrace value
# options = 1, 2 or 3
ubtu24_ptrace_value: 1

## Controls 1.6.x  - Warning banners
# The controls 1.6.x set various warning banners and protect the respective files
# by tightening the access rights.

# This variable specifies the warning banner displayed to the user
# after local login, remote login, and as motd (message of the day)
# Noe that the banner text must not contain the below items in order to be
# compliant with CIS: \m, \r, \s, \v or references to the OS platform
ubtu24cis_warning_banner: |
        Authorized uses only. All activity may be monitored and reported.

# This variable governs, whether dynamic motd is disabled (as required by control 1.7.1)
ubtu24cis_disable_dynamic_motd: true

## Controls 1.7.x - Settings for GDM
# This variable specifies the GNOME configuration database file to which configurations are written.
# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en)
# The default database is `local`.
ubtu24cis_dconf_db_name: local
# This variable governs the number of seconds of inactivity before the screen goes blank.
ubtu24cis_screensaver_idle_delay: 900
# This variable governs the number of seconds the screen remains blank before it is locked.
ubtu24cis_screensaver_lock_delay: 5

##
## Section 2 Control Variables
##

## Control 2.3.1.1
# This variable choses the tool used for time synchronization
# The two options are `chrony`and `systemd-timesyncd`.
ubtu24cis_time_sync_tool: "systemd-timesyncd"

## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd
# The following variable represents a list of of time server pools used
# for configuring chrony and timesyncd.
# Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
# The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
# of the time synchronization mechanism you are using.
ubtu24cis_time_pool:
  - name: time.nist.gov
    options: iburst maxsources 4
# The following variable represents a list of of time servers used
# for configuring chrony and timesyncd
# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`.
# The default setting for the `options` is `iburst` -- please refer to the documentation
# of the time synchronization mechanism you are using.
ubtu24cis_time_servers:
  - name: time-a-g.nist.gov
    options: iburst
  - name: time-b-g.nist.gov
    options: iburst
  - name: time-c-g.nist.gov
    options: iburst

##
## Section 3 Control Variables
##

## Control 3.1.1 - Ensure system is checked to determine if IPv6 is enabled
# This variable governs the mechanism of how the disabling of IPV6 is carried out.
# Its possible values are `grub` and `sysctl`.
ubtu24cis_ipv6_disable: grub

## Control 3.1.2 - Ensure wireless interfaces are disabled
# This variable is used for a preliminary task regarding the installation of Network Manager
# If it is set to `true`, Network Manager is installed during the "prelim" section of
# the role. If set to `false`, Network Manager is not installed. Bear in mind that without
# it, ensuring that wireless interfaces are disabled will not be possible!
ubtu24cis_install_network_manager: true

## Control 3.1.3 - Ensure bluetooth Services are not in use
# This control managed how the bluetooth service is managaed
# Options are
# true to leave installed if exists not changes take place
# false - this removes the package
# mask - if a dependancy for product so cannot be removed
ubtu24cis_bluetooth_service: false
ubtu24cis_bluetooth_mask: false

## Control 3.3.x - Networking configuration
# This variable contains the path to the file in which, sysctl saves its configurations.
# Its default value is `/etc/sysctl.conf`.
ubtu24cis_sysctl_network_conf: /etc/sysctl.conf

##
## Section 4 Control Variables
##

## Controls 4.1.x, 4.2.x, and 4.3.x - Firewall configuration
# This variable represents the toggle for which firewall package is used.
# The options that have an effect on the system are `ufw` and `iptables`.
# The option `nftables` is also possible, but will only result in a message,
# that `nftables` has been chosen; all settings have to be carried out manually.
# Any other value, e.g. `none` will skip all firewall-related controls.
ubtu24cis_firewall_package: "ufw"

# This variable is used in a preliminary task that forces the UFW firewall to use /etc/sysctl.conf
# settings. If set to "true" the task will get done in the prelim section of the role.
ubtu24cis_ufw_use_sysctl: true

## Control 4.1.5 - Ensure ufw outbound connections are configured
# The value of this variable represents the ports for the firewall to allow oubound traffic from.
# If you want to allow outbound traffic on all ports, set the variable to  `all`, e.g.,
# `ubtu24cis_ufw_allow_out_ports: "all"`.
ubtu24cis_ufw_allow_out_ports:
  - 53
  - 80
  - 443

## Controls 4.2.x - nftables
# Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example
# of such a task.
# "ubtu24cis_nftables_table_name" is the name of the table in nftables you want to create.
# The default nftables table name is "inet filter". This variable name will be the one all
# nftables configs are applied to.
# ubtu24cis_nftables_table_name: "inet filter"

##
## Section 5 Control Variables
##
## Controls 5.1.x -- various sshd settings
ubtu24cis_sshd_default_log_level: "INFO"
ubtu24cis_sshd_default_max_auth_tries: 4
ubtu24cis_sshd_default_max_sessions: 8
ubtu24cis_sshd_default_login_grace_time: 60
ubtu24cis_sshd_default_client_alive_interval: 300
ubtu24cis_sshd_default_client_alive_count_max: 3
# Removed chacha20-poly1305 due to cve2023-48795
# all Ciphers, KEX and Macs set to FIPS 140
# This will nee dto be adjusted according to your site requirements
ubtu24cis_sshd_default_ciphers:
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr
ubtu24cis_sshd_default_macs:
  - hmac-sha1
  - hmac-sha2-256
  #  - hmac-sha2-384  # hashed out seen as bad ssh2 MAC
  - hmac-sha2-512
ubtu24cis_sshd_default_kex_algorithms:
  - ecdh-sha2-nistp256
  - ecdh-sha2-nistp384
  - ecdh-sha2-nistp521
  - diffie-hellman-group-exchange-sha256
  - diffie-hellman-group16-sha512
  - diffie-hellman-group18-sha512
  - diffie-hellman-group14-sha256

# SSH Settings
# This variable is used to control the verbosity of the logging produced by the SSH server.
# The options for setting it are as follows:
# - `QUIET`: Minimal logging;
# - `FATAL`: logs only fatal errors;
# - `ERROR`: logs error messages;
# - `INFO`: logs informational messages in addition to errors;
# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
# - `DEBUG`: generates very detailed debugging information including sensitive information.
ubtu24cis_sshd_log_level: "{{ ubtu24cis_sshd_default_log_level }}"
# This variable specifies the maximum number of authentication attempts that are
# allowed for a single SSH session.
ubtu24cis_sshd_max_auth_tries: "{{ ubtu24cis_sshd_default_max_auth_tries }}"
# This variable specifies the encryption algorithms that can be used for securing
# data transmission.
ubtu24cis_sshd_ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
# the integrity of data exchanged.
ubtu24cis_sshd_macs: "{{ ubtu24cis_sshd_default_macs }}"
# This variable is used to state the key exchange algorithms used to establish secure encryption
# keys during the initial connection setup.
ubtu24cis_sshd_kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
# This variable sets the time interval in seconds between sending "keep-alive"
# messages from the server to the client. These types of messages are intended to
# keep the connection alive and prevent it being terminated due to inactivity.
ubtu24cis_sshd_client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
# This variable sets the maximum number of unresponsive "keep-alive" messages
# that can be sent from the server to the client before the connection is considered
# inactive and thus, closed.
ubtu24cis_sshd_client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
# This variable specifies the amount of seconds allowed for successful authentication to
# the SSH server.
ubtu24cis_sshd_login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
# This variables is used to set the maximum number of open sessions per connection.
ubtu24cis_sshd_max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
# access for users whose user name matches one of the patterns. This is done
# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
ubtu24cis_sshd_allow_users: ""
# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, https://linux.die.net/man/5/sshd_config
ubtu24cis_sshd_allow_groups: ""
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
# for users whose user name matches one of the patterns. This is done
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
ubtu24cis_sshd_deny_users: ""
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
ubtu24cis_sshd_deny_groups: ""

## Control 5.2.1
# This variable represents the name of the sudo package to install
# CIS recommends `sudo` or, if LDAP functionality is required, `sudo-ldap`.
ubtu24cis_sudo_package: "sudo"

## Control 5.2.3
# This variable defines the path and file name of the sudo log file.
ubtu24cis_sudo_logfile: "/var/log/sudo.log"

## control 5.2.4 sudoers NOPASSWD
# This will leave NOPASSWD intact for these users
ubtu24cis_sudoers_exclude_nopasswd_list:
  - ec2-user
  - vagrant

##  Control 5.2.6
# This variable sets the duration (in minutes) during which a user's authentication credentials
# are cached after successfully authenticating using "sudo". This allows the user to execute
# multiple commands with elevated privileges without needing to re-enter their password for each
# command within the specified time period. CIS requires a value of at most 15 minutes.
ubtu24cis_sudo_timestamp_timeout: 15
## Control 5.2.7
# This variable determines the group of users that are allowed to use the su command.
# one to specify a user group that is allowed to use the "su" command.
# CIS requires that such a group be created (named according to site policy) and be kept empty.
ubtu24cis_sugroup: nosugroup

## 5.3.2.x
# Path to find templates and where to put file for pam-auth
ubtu24cis_pam_confd_dir: 'usr/share/pam-configs/'
### Note: controls also managed with disruption high due to the nature of pam changes
# Create file will create/replace with the name

# Controls 5.3.2.1 - pam_unix
# Name of file
ubtu24cis_pam_pwunix_file: 'pam_unix'
# Should NOT be enabled if allowing custom config that enabled pam_faillock
ubtu24cis_pam_create_pamunix_file: false
# Allow pam-auth-update --enable ubtu24cis_pam_pwunix_file to run
ubtu24cis_pam_auth_unix: true

# 5.3.2.2 - pam_faillock
# Name of files
ubtu24cis_pam_faillock_file: 'faillock'
ubtu24cis_pam_faillock_notify_file: 'faillock_notify'
# Allow pam-auth-update --enable ubtu24cis_pam_faillock_file
# and
# Allow pam-auth-update --enable ubtu24cis_pam_faillock_notify_file
ubtu24cis_pam_auth_faillock: true
# Allow new file to be created or overwrite existing with same name
ubtu24cis_pam_create_faillock_files: true

# 5.3.2.3 - pam_pwquality
# Name of files
ubtu24cis_pam_pwquality_file: 'pwquality'
# Allow new file to be created or overwrite existing with same name
ubtu24cis_pam_create_pwquality_files: true
# Allow pam-auth-update --enable ubtu24cis_pam_pwquality_file
ubtu24cis_pam_auth_pwquality: true

# 5.3.2.4 - pam_pwhistory
# Name of file
ubtu24cis_pam_pwhistory_file: 'pwhistory'
# Allow new file to be created or overwrite existing with same name
# filepath also affects controls 5.3.3.3.1, 5.3.3.3.2, 5.3.3.3.3
ubtu24cis_pam_create_pwhistory_files: true
# Allow pam-auth-update --enable ubtu24cis_pam_pwhistory_file
ubtu24cis_pam_auth_pwhistory: true

# 5.3.3.1.1 - faillock_deny
ubtu24cis_faillock_deny: 3

# 5.3.3.1.2 - faillock unlock time
ubtu24cis_faillock_unlock_time: 900

# 5.3.3.1.3 - lock root
# This allow optional - even_deny_root or root_unlock_time
ubtu24cis_pamroot_lock_option: even_deny_root
ubtu24cis_pamroot_lock_string: even_deny_root

# 5.3.3.2.1 - password difok
ubtu24cis_passwd_difok_file: etc/security/pwquality.conf.d/50-pwdifok.conf  # pragma: allowlist secret
ubtu24cis_passwd_difok_value: 2

# 5.3.3.2.2 - password minlength
ubtu24cis_passwd_minlen_file: etc/security/pwquality.conf.d/50-pwlength.conf  # pragma: allowlist secret
ubtu24cis_passwd_minlen_value: 14

# 5.3.3.2.3 - password complex
ubtu24cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf  # pragma: allowlist secret
ubtu24cis_passwd_minclass: 3
ubtu24cis_passwd_dcredit: -1
ubtu24cis_passwd_ucredit: -2
ubtu24cis_passwd_ocredit: 0
ubtu24cis_passwd_lcredit: -2

# 5.3.3.2.4 - password maxrepeat
ubtu24cis_passwd_maxrepeat_file: etc/security/pwquality.conf.d/50-pwrepeat.conf  # pragma: allowlist secret
ubtu24cis_passwd_maxrepeat_value: 3

# 5.3.3.2.5 - password maxsequence
ubtu24cis_passwd_maxsequence_file: etc/security/pwquality.conf.d/50-pwmaxsequence.conf  # pragma: allowlist secret
ubtu24cis_passwd_maxsequence_value: 3

# 5.3.3.2.6 - password dictcheck
ubtu24cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.conf  # pragma: allowlist secret
ubtu24cis_passwd_dictcheck_value: 1

# 5.3.3.2.7 - password quality enforce
ubtu24cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf  # pragma: allowlist secret
ubtu24cis_passwd_quality_enforce_value: 1

# 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7
ubtu24cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf  # pragma: allowlist secret
ubtu24cis_passwd_quality_enforce_root_value: enforce_for_root  # pragma: allowlist secret

## 5.3.3.3 Configure pam_pwhistory module
# Uses value for ubtu24cis_pam_pwhistory_file in 5.3.2.4
# Control 5.3.3.3.1
# This variable represents the number of password change cycles, after which
# a user can re-use a password. # CIS requires a value of 24 or more.
ubtu24cis_pamd_pwhistory_remember: 24

## Controls 5.4.1.x - Password settings
ubtu24cis_pass:
## Control 5.4.1.1
# This variable governs after how many days a  password expires.
# CIS requires a value of 365 or less.
ubtu24cis_pass_max_days: 365
## Control 5.4.1.2
# This variable specifies the minimum number of days allowed between changing passwords.
# CIS requires a value of at least 1.
ubtu24cis_pass_min_days: 1
## Control 5.5.1.3
# This variable governs, how many days before a password expires, the user will be warned.
# CIS requires a value of at least 7.
ubtu24cis_pass_warn_age: 7
## Control 5.4.1.5
# This variable specifies the number of days of inactivity before an account will be locked.
# CIS requires a value of 45 days or less.
ubtu24cis_pass_inactive: 45

# 5.4.2.6 root umask
ubtu24cis_root_umask: '0027'  # 0027 or more restrictive
## Control 5.4.4
# ubtu24cis_passwd_hash_algo is the hashing algorithm used
ubtu24cis_passwd_hash_algo: yescrypt  # pragma: allowlist secret
# Set pam as well as login defs if PAM is required
ubtu24cis_passwd_setpam_hash_algo: false

## Control 5.4.3 - Default user mask
# The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`.
# The value needs to be `027` or more restrictive to comply with CIS standards
ubtu24cis_bash_umask: '027'

## Control 5.4.3.2 - Configuring user shell timeout
# This dictionary is related to ensuring the rule about user shell timeout
# This variable represents the amount of seconds a command or process is allowed to
# run before being forcefully terminated.
# CIS requires a value of at most 900 seconds.
ubtu24cis_shell_session_timeout: 900
# This variable specifies the path of the timeout setting file.
# (TMOUT setting can be set in multiple files, but only one is required for the
# rule to pass. Options are:
# - a file in `/etc/profile.d/` ending in `.s`,
# - `/etc/profile`, or
# - `/etc/bash.bashrc`.
ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh

##
## Section 6 Control Variables
##
# Set which syslog service
# journald or rsyslog
ubtu24cis_syslog_service: 'journald'

## Controls 6.1.1.x journald

# This variable specifies the address of the remote log host where logs are being sent.
ubtu24cis_remote_log_server: 192.168.2.100
# This variable expresses whether the system is used as a log server or not.
# If set to `true`, controls that interfere with log server functionality or
# require that own system logs be sent to some other log server are skipped.
ubtu24cis_system_is_log_server: false

## Controls 6.1.1.2.x & 6.1.1.x journald
# This variable specifies the path to the private key file used by the remote journal
# server to authenticate itself to the client. This key is used alongside the server's
# public certificate to establish secure communication.
ubtu24cis_journal_upload_serverkeyfile:
# This variable specifies the path to the public certificate file of the remote journal
# server. This certificate is used to verify the authenticity of the remote server.
ubtu24cis_journal_servercertificatefile:
# This variable specifies the path to a file containing one or more public certificates
# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
# to validate the authenticity of the remote server's certificate.
ubtu24cis_journal_trustedcertificatefile:

# 6.1.1.1.3
# These variable specifies how much disk space the journal may use up at most
# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
# ATTENTION: Uncomment the keyword below when values are set!
ubtu24cis_journald_systemmaxuse: "#SystemMaxUse="
ubtu24cis_journald_systemkeepfree: "#SystemKeepFree="
ubtu24cis_journald_runtimemaxuse: "#RuntimeMaxUse="
ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
# This variable specifies, the maximum time to store entries in a single journal
# file before rotating to the next one. Set to 0 to turn off this feature.
# The given values is interpreted as seconds, unless suffixed with the units
# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
# ATTENTION: Uncomment the keyword below when values are set!
ubtu24cis_journald_maxfilesec: "#MaxFileSec="

# 6.1.3.8
# ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
# To conform to CIS standards this just needs to comply with your site policy
ubtu24cis_logrotate: "daily"

## Controls 6.2.3.x - Audit template
# This variable is set to true by tasks 6.2.3.1 to 6.2.3.20. As a result, the
# audit settings are overwritten with the role's template. In order to exclude
# specific rules, you must set the variable of form `ubtu24cis_rule_4_1_3_x` above
# to `false`.
update_audit_template: false

## Advanced option found in auditd post
## users whose actions are not logged by auditd
ubtu24cis_allow_auditd_uid_user_exclusions: false

# add a list of uids
ubtu24cis_auditd_uid_exclude:
  - 1999

##  Control 6.2.1.4 - Ensure audit_backlog_limit is sufficient
# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
# system can buffer in memory, if the audit subsystem is unable to process them in real-time.
# Buffering in memory is useful in situations, where the audit system is overwhelmed
# with incoming audit events, and needs to temporarily store them until they can be processed.
# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value.
ubtu24cis_audit_back_log_limit: 8192

## Controls 6.2.2.x - What to do when log files fill up
## Control 6.2.2.1 - Ensure audit log storage size is configured
# This variable specifies the maximum size in MB that an audit log file can reach
# before it is archived or deleted to make space for the new audit data.
# This should be set based on your sites policy. CIS does not provide a specific value.
ubtu24cis_max_log_file_size: 10

## Control 6.2.3.2
# This variable determines what action the audit system should take when the maximum
# size of a log file is reached.
# The options for setting this variable are as follows:
# - `ignore`: the system does nothing when the size of a log file is full;
# - `syslog`: a message is sent to the system log indicating the problem;
# - `suspend`: the system suspends recording audit events until the log file is cleared or rotated;
# - `rotate`: the log file is rotated (archived) and a new empty log file is created;
# - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints.
# CIS prescribes the value `keep_logs`.
ubtu24cis_auditd_max_log_file_action: keep_logs

## Control 6.2.3.3
# This variable determines how the system should act in case of issues with disk
# The disk_full_action parameter tells the system what action to take when no free space is available on the partition that holds the audit log files.
# Valid values are ignore, syslog, rotate, exec, suspend, single, and halt.
#
# The disk_error_action parameter tells the system what action to take when an error is detected on the partition that holds the audit log files.
# Valid values are ignore, syslog, exec, suspend, single, and halt.
#
# CIS prescribes
# disk_full_action parameter:
# Set to halt - the auditd daemon will shutdown the system when the disk partition containing the audit logs becomes full.
# Set to single - the auditd daemon will put the computer system in single user mode when the disk partition containing the audit logs becomes full.
#
# disk_error_action parameter:
# Set to halt - the auditd daemon will shutdown the system when an error is detected on the partition that holds the audit log files.
# Set to single - the auditd daemon will put the computer system in single user mode when an error is detected on the partition that holds the audit log files.
# Set to syslog - the auditd daemon will issue no more than 5 consecutive warnings to syslog when an error is detected on the partition that holds the audit log files.
ubtu24cis_auditd_disk_full_action: halt
ubtu24cis_auditd_disk_error_action: syslog

# Control 6.2.2.4
# Wait to do when space left is low.
ubtu24cis_auditd_space_left_action: email
ubtu24cis_auditd_admin_space_left_action: halt

## Control 6.3.x - allow aide to be configured
# AIDE is a file integrity checking tool, similar in nature to Tripwire.
# While it cannot prevent intrusions, it can detect unauthorized changes
# to configuration files by alerting when the files are changed. Review
# the AIDE quick start guide and AIDE documentation before proceeding.
# By setting this variable to `true`, all of the settings related to AIDE will be applied!
ubtu24cis_config_aide: true

# If DB file older than below will automatically rebuild DB
# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour
ubtu24cis_aide_db_file_age: 1w

# If aide already setup this forces a new DB to be created
ubtu24cis_aide_db_recreate: false

# allows to change db file, not config need to be adjusted too
ubtu24cis_aide_db_file: /var/lib/aide/aide.db

## When Initializing aide this can take longer on some systems
# changing the values enables user to change to thier own requirements
# Maximum Time in seconds
ubtu24cis_aide_init_async: 600
# Polling Interval in seconds
ubtu24cis_aide_init_poll: 15

## Control 6.3.x
# Set how aide is scanned either cron or timer
ubtu24cis_aide_scan: cron
# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
# The sub-settings of this variable provide the parameters required to configure
# the cron job on the target system.
# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
# and executed automatically at a certain point in time.

# This variable represents the user account under which the cron job for AIDE will run.
ubtu24cis_aide_cron_user: root
# This variable represents the path to the AIDE crontab file.
ubtu24cis_aide_cron_file: /etc/cron.d/aide_cron
# This variable represents the actual command or script that the cron job
# will execute for running AIDE.
ubtu24cis_aide_cron_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
# These variables define the schedule for the cron job
# This variable governs the minute of the time of day when the AIDE cronjob is run.
# It must be in the range `0-59`.
ubtu24cis_aide_cron_minute: 0
# This variable governs the hour of the time of day when the AIDE cronjob is run.
# It must be in the range `0-23`.
ubtu24cis_aide_cron_hour: 5
# This variable governs the day of the month when the AIDE cronjob is run.
# `*` signifies that the job is run on all days; furthermore, specific days
# can be given in the range `1-31`; several days can be concatenated with a comma.
# The specified day(s) can must be in the range  `1-31`.
ubtu24cis_aide_cron_day: '*'
# This variable governs months when the AIDE cronjob is run.
# `*` signifies that the job is run in every month; furthermore, specific months
# can be given in the range `1-12`; several months can be concatenated with commas.
# The specified month(s) can must be in the range  `1-12`.
ubtu24cis_aide_cron_month: '*'
# This variable governs the weekdays, when the AIDE cronjob is run.
# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
# can be concatenated with commas.
ubtu24cis_aide_cron_weekday: '*'

##
## Section 7 Control Variables
##

## Controls 6.2.11 & 6.2.12
# The minimum and maximum UIDs to be used when enforcing
# and checking controls 6.2.11 and 6.2.12 can either be
# discovered automatically via logins.def or set manually
# in this file
# If min/maxx UIDs are to be discovered automatically,
# set this variable to `true`, otherwise to `false`.
discover_int_uid: false
# This variable sets the minimum number from which to search for UID
# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
# been set to `true`.
min_int_uid: 1000

# This variable sets the maximum number at which the search stops for UID
# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
# been set to `true`.
max_int_uid: 65533

## Control 6.1.9
# The following variable is a toggle for enabling/disabling the automated
# removal of world-writable permissions from all files.
# Possible values are `true` and `false`.
ubtu24cis_no_world_write_adjust: true

## Control 6.2.7
# This variable is a toggle foe enabling/disabling the automated modification of
# permissions on dot files.
# Possible values are `true` and `false`.
ubtu24cis_dotperm_ansiblemanaged: true

## Section 7

# 7.1.12 Ensure no files or directories without an owner and a group exist
ubtu24cis_exclude_unowned_search_path: (! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*")

# Control 7.1.12
# The value of this variable specifies the owner that will be set for unowned files and directories.
ubtu24cis_unowned_owner: root
ubtu24cis_ungrouped_group: root
# This variable is a toggle for enabling/disabling the automated
# setting of an owner (specified in variable `ubtu24cis_unowned_owner`)
# for all unowned files and directories.
# Possible values are `true` and `false`.
ubtu24cis_ownership_adjust: true

## Control 7.1.13
# This variable is a toggle for enabling/disabling the automated removal
# of the SUID bit from all files on all mounts.
# Possible values are `true` and `false`.
ubtu24cis_suid_sgid_adjust: false