os_desktop_enable: false os_env_extra_user_paths: [] os_env_umask: '027' os_auth_pw_max_age: 60 os_auth_pw_min_age: 7 # discourage password cycling os_auth_retries: 5 os_auth_lockout_time: 600 # 10min os_auth_timeout: 60 os_auth_allow_homeless: false os_auth_pam_passwdqc_enable: true os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8' # used in RHEL6 os_auth_pam_pwquality_options: 'try_first_pass retry=3 type=' # used in RHEL7 os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6] os_auth_uid_min: 1000 os_auth_gid_min: 1000 os_auth_sys_uid_min: 100 os_auth_sys_uid_max: 999 os_auth_sys_gid_min: 100 os_auth_sys_gid_max: 999 os_chfn_restrict: '' # may contain: change_user os_security_users_allow: [] # specify system accounts those login should not be disabled and password not changed os_ignore_users: ['vagrant'] os_security_kernel_enable_module_loading: true os_security_kernel_enable_core_dump: false os_security_suid_sgid_enforce: true # user-defined blacklist and whitelist os_security_suid_sgid_blacklist: [] os_security_suid_sgid_whitelist: [] # if this is true, remove any suid/sgid bits from files that were not in the whitelist os_security_suid_sgid_remove_from_unknown: false # remove packages with known issues os_security_packages_clean: true os_security_packages_list: ['xinetd','inetd','ypserv','telnet-server','rsh-server','rsync'] # Allow interactive startup (rhel, centos) os_security_init_prompt: true # Require root password for single user mode. (rhel, centos) os_security_init_single: false # Apply ufw defaults ufw_manage_defaults: true # Empty variable disables IPT_SYSCTL in /etc/default/ufw # by default in Ubuntu it set to: /etc/ufw/sysctl.conf # CAUTION # if you enable it - it'll overwrite /etc/sysctl.conf file, managed by hardening framework ufw_ipt_sysctl: '' # Default ufw variables ufw_default_input_policy: 'DROP' ufw_default_output_policy: 'ACCEPT' ufw_default_forward_policy: 'DROP' ufw_default_application_policy: 'SKIP' ufw_manage_builtins: 'no' ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns' # CAUTION # If you want to overwrite sysctl-variables, # you have to overwrite the *whole* dict, or else only the single overwritten will be actually used. sysctl_config: # Disable IPv4 traffic forwarding. net.ipv4.ip_forward: 0 # Disable IPv6 traffic forwarding. net.ipv6.conf.all.forwarding: 0 # ignore RAs on Ipv6. net.ipv6.conf.all.accept_ra: 0 net.ipv6.conf.default.accept_ra: 0 # Enable RFC-recommended source validation feature. net.ipv4.conf.all.rp_filter: 1 net.ipv4.conf.default.rp_filter: 1 # Reduce the surface on SMURF attacks. # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis. net.ipv4.icmp_echo_ignore_broadcasts: 1 # There is no reason to accept bogus error responses from ICMP, so ignore them instead. net.ipv4.icmp_ignore_bogus_error_responses: 1 # Limit the amount of traffic the system uses for ICMP. net.ipv4.icmp_ratelimit: 100 # Adjust the ICMP ratelimit to include ping, dst unreachable, # source quench, ime exceed, param problem, timestamp reply, information reply net.ipv4.icmp_ratemask: 88089 # Disable IPv6 net.ipv6.conf.all.disable_ipv6: 1 # Protect against wrapping sequence numbers at gigabit speeds net.ipv4.tcp_timestamps: 0 # Define restriction level for announcing the local source IP net.ipv4.conf.all.arp_ignore: 1 # Define mode for sending replies in response to # received ARP requests that resolve local target IP addresses net.ipv4.conf.all.arp_announce: 2 # RFC 1337 fix F1 net.ipv4.tcp_rfc1337: 1 # CAUTION # If you want to overwrite sysctl-variables, # you have to overwrite the *whole* dict, or else only the single overwritten will be actually used. sysctl_rhel_config: # ExecShield protection against buffer overflows kernel.exec-shield: 1 # Syncookies is used to prevent SYN-flooding attacks. net.ipv4.tcp_syncookies: 1