-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathpillar.example
More file actions
182 lines (152 loc) · 8.23 KB
/
pillar.example
File metadata and controls
182 lines (152 loc) · 8.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# Pillar variables used by ash-linux formula.
#
# Currently, only rsyslog service is targeted for Pillar-usage
#
#################################################################
## ash-linux:
## lookup:
# Settings used for configuring syslog service
## rsyslog:
## destination: localhost
## transport: udp
## log_port: 517
## match_criteria: *.*
## disable_locallog: no
## log_template: RSYSLOG_ForwardFormat
# Whether to attempt to cac-enable the system
## cac-enable: false
# Where to send automated emails
## notifier-email: notifications@my.fully.qualified.domain
# STIG-handlers to skip
## skip-stigs:
## - RHEL-07-020160
## - RHEL-07-020161
# Maximum length of time (in days) to patch system within
## mustpatch-days: 30
# Default permission to set on home directories
## home-mode: 0700
# Action auditd will take if it overruns its event-queues
## audit-overflow: <0|1|2>
# Action auditd will take if log-space is running out
## audit-space-action: <ignore|syslog|rotate|email|exec|suspend|single|halt>
# The IP/hostname of a remote node configured to collect
# event information from the audispd service
## audisp-server: audispdcol.my.fully-qualified.domain
# Action to take if audispd detects a disk-full condition
## audisp-disk-full: <syslog|single|halt>
# Action to take if audispd is unable to send logs to a
# remote collector-host
## audisp-net-fail: <syslog|single|halt>
#
# Users that should get specific confinements other that 'user_u'
## sel_confine:
## guest_u: # Users that should be mapped to the 'guest_u' confinement
## root_u: # Users that should be mapped to the 'root' confinement
## staff_u: # Users that should be mapped to the 'staff_u' confinement
## sysadm_u: # Users that should be mapped to the 'sysadm_u' confinement
## system_u: # Users that should be mapped to the 'system_u' confinement
## unconfined_u: # Users that should be mapped to the 'unconfined_u' confinement
## null_u: # Users that should be not be mapped to a confinement
# List of accounts that should be banned from deployed systems
## banned-accts
## - ftp
## - games
## - gopher
# DNS-related information for SaltStack to enforce if not
# being received via other means (e.g., DHCP)
## dns-info
## nameservers
## - nameserver1.I.P.addr
## - nameserver2.I.P.addr
## Set a localized/custom password on the GRUB boot-loader
## grub-user: <ANY_STRING_OTHER_THAN_root>
## grub-passwd: <POLICY_COMPLIANT_PASSWORD_STRING>
## Ensure that the LogLevel parm in sshd_config is set to the
## site-mandated value
## sshd-loglevel: <QUIET|FATAL|ERROR|INFO|VERBOSE|DEBUG|DEBUG1|DEBUG2|DEBUG3>
## (See man page for valid values and associated output/warnings)
# If using oscap to harden, which profile to select
# If unsure of available profiles, use `oscap info \
# "/usr/share/xml/scap/ssg/content/ssg-${OSVERS}-xccdf.xml"`
## scap-profile: 'stig-rhel7-server-gui-upstream'
## scap-profile: 'standard'
## scap-profile: 'pci-dss'
## scap-profile: 'C2S'
## scap-profile: 'common'
## scap-cpe: # Path to scap cpe-dictionary.xml file
## scap-ds: # Path to scap ds.xml file
## scap-xccdf: # Path to scap xccdf.xml file
## scap-output: # Path to directory where scap results will be saved
## pam_stuff:
## faillock_deny_count: # pam_faillock's "deny" value
## faillock_fail_interval: # pam_faillock's "fail_interval" value
## faillock_unlock_time: # pam_faillock's "unlock_time" value
## faillock_logging_dir: # pam_faillock's "dir" value
## pwhistory_remember: # pam_pwhistory's "remember" value
## pwhistory_retry: # pam_pwhistory's "retry" value
## banner-plain: |
## login-banners:
## /etc/issue: |
## This banner-content overrides the standard, STIG-specified, DoD warning banner content that is bundled with the ASH-linux formula. This overridden content is placed into the '/etc/issue' file.
##
## Notes on content-limitations:
##
## * There is, currently, no tested limit to the length of the content deliverable by this content-block.
## * This override content may exceed an 80-column (or other) width.
## * This content may also be specified as multi-line content.
## * Wholly blank lines need not be padded with leading spaces.
## * The only current recommendation is to limit content to standad ASCII character-set. Alternate character-sets (i.e., UTF8/UNICODE) have not been tested.
##
## Beyond that, "go nuts".
##
## gconf: This banner-content overrides the standard, STIG-specified, DoD warning banner content that is bundled with the ASH-linux formula. Note that GDM's `gconf` utility wants banner text specified as a single line of text with any required linefeeds injected as '\n' literals. Beyond that, this override content is not constrained.\n\nBasically, "go nuts".
## NTP-related settings
## use-ntp: True # boolean data-type
## ntp-servers: # list data-type
## - 0.pool.ntp.org # If `use-ntp` is set to `true`, an
## - 1.pool.ntp.org # Undeclared or emtpy-list results
## - 2.pool.ntp.org # in distribution's default servers
## - ...
## - 169.254.169.123 # AWS NTP service-endpoint IP/recommended value
## - time.windows.com # Azure Marketplace images' default-value
## - metadata.google # Google CLoud Platform recommended value
## - metadata.google.internal # Google CLoud Platform recommended value
## SSH configuration-options
## ssh:
## daemon: # Daemon-related settings
## allowed_ciphers: # Ciphers to support: list data-type
## - aes256-gcm@openssh.com # Listed values are those allowed
## - aes256-ctr # in the CY25Q3 STIG-release
## - aes128-gcm@openssh.com #
## - aes128-ctr #
## client: # Client-related settings
## SMTP email alias configuration
## mail_aliases:
## root: <OFFHOST_EMAIL_ADDRESS> # This must be defined to a valid
## # site-address to meet hardening
## # requirements
## user1: <DESTINATION_1> # Extra aliases that site wants
## .....: ........ # standardized onto...
## userN: <DESTINATION_N> # ...
## Postfix configuration-options
## postfix:
## main_cf: # Config-changed made to /etc/postfix/main.cf file
## smtpd_client_restrictions: # Postfix parameter-name: a list data-type
## - ... # Any values defined here will be inserted into
## - ... # the parameter's option-list, between `localhost`
## - ... # and `reject`
## - permit_mynetworks
## - check_client_access cidr:/etc/postfix/access
## Systemd rescue-shell password-protection method: the v2r4 STIGs specify
## the first value while the Compliance As Code remediation-content for
## Ansible specify the latter method. Absent Pillar content, the state
## will set the former. In either case, some scanners may erroneously
## identify neither as valid
##
## rescue_shell_protection: '/usr/lib/systemd/systemd-sulogin-shell rescue'
## rescue_shell_protection: '/bin/sh -c "/sbin/sulogin ; /usr/bin/systemctl --fail --no-block default"'
## Rsyslog configuration-options
## rsyslog:collector_host
## collector_host: # FQDN or IP address of remote syslog collector
## # service. May include a ':<PORT_NUMBER>' substring
## # as needed