-
Notifications
You must be signed in to change notification settings - Fork 26
Main Variables
George Nalen edited this page Mar 26, 2021
·
1 revision
RHEL7-CIS Role Variables
As the end user you should only need to adjust the variables found within the defaults/main.yml. These address settings ranging from very high-level role controls to site specific host settings. Please review these before running the role to get a full understanding of what will need to be configured before running this role.
ubtu18cis_section1_patch: true
ubtu18cis_section2_patch: true
ubtu18cis_section3_patch: true
ubtu18cis_section4_patch: true
ubtu18cis_section5_patch: true
ubtu18cis_section6_patch: true
We've defined complexity-high to mean that we cannot automatically remediate the rule in question. In the future this might mean that the remediation may fail in some cases.
ubtu18cis_complexity_high: false
Show "changed" for complex items not remediated per complexity-high setting to make them stand out. "changed" items on a second run of the role would indicate items requiring manual review.
ubtu18cis_audit_complex: true
We've defined disruption-high to indicate items that are likely to cause disruption in a normal workflow. These items can be remediated automatically but are disabled by default to avoid disruption. Value of true runs duscruptive tasks, value of false will skip disruptive tasks
ubtu18cis_disruption_high: true
Show "changed" for disruptive items not remediated per disruption-high setting to make them stand out.
ubtu18cis_audit_disruptive: true
ubtu18cis_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"
ubtu18cis_system_is_container: false
system_is_ec2: false
Section 1 Fixes
Section 1 is Iniitial setup (FileSystem Configuration, Configure Software Updates, Configure sudo, Filesystem Integrity Checking, Secure Boot Settings,Additional Process Hardening, Mandatory Access Control, and Warning Banners)
ubtu18cis_rule_1_1_1_1: true
ubtu18cis_rule_1_1_1_2: true
ubtu18cis_rule_1_1_1_3: true
ubtu18cis_rule_1_1_1_4: true
ubtu18cis_rule_1_1_1_5: true
ubtu18cis_rule_1_1_1_6: true
ubtu18cis_rule_1_1_1_7: true
ubtu18cis_rule_1_1_1_8: true
ubtu18cis_rule_1_1_1: true
ubtu18cis_rule_1_1_2: true
ubtu18cis_rule_1_1_3: true
ubtu18cis_rule_1_1_4: true
ubtu18cis_rule_1_1_5: true
ubtu18cis_rule_1_1_6: true
ubtu18cis_rule_1_1_7: true
ubtu18cis_rule_1_1_8: true
ubtu18cis_rule_1_1_9: true
ubtu18cis_rule_1_1_10: true
ubtu18cis_rule_1_1_11: true
ubtu18cis_rule_1_1_12: true
ubtu18cis_rule_1_1_13: true
ubtu18cis_rule_1_1_14: true
ubtu18cis_rule_1_1_15: true
ubtu18cis_rule_1_1_16: true
ubtu18cis_rule_1_1_17: true
ubtu18cis_rule_1_1_18: true
ubtu18cis_rule_1_1_19: true
ubtu18cis_rule_1_1_20: true
ubtu18cis_rule_1_1_21: true
ubtu18cis_rule_1_1_22: true
ubtu18cis_rule_1_1_23: true
ubtu18cis_rule_1_2_1: true
ubtu18cis_rule_1_2_2: true
ubtu18cis_rule_1_3_1: true
ubtu18cis_rule_1_3_2: true
ubtu18cis_rule_1_3_3: true
ubtu18cis_rule_1_4_1: true
ubtu18cis_rule_1_4_2: true
ubtu18cis_rule_1_5_1: true
ubtu18cis_rule_1_5_2: true
ubtu18cis_rule_1_5_3: true
ubtu18cis_rule_1_5_4: true
ubtu18cis_rule_1_6_1: true
ubtu18cis_rule_1_6_2: true
ubtu18cis_rule_1_6_3: true
ubtu18cis_rule_1_6_4: true
ubtu18cis_rule_1_7_1_1: true
ubtu18cis_rule_1_7_1_2: true
ubtu18cis_rule_1_7_1_3: true
ubtu18cis_rule_1_7_1_4: true
ubtu18cis_rule_1_8_1_1: true
ubtu18cis_rule_1_8_1_2: true
ubtu18cis_rule_1_8_1_3: true
ubtu18cis_rule_1_8_1_4: true
ubtu18cis_rule_1_8_1_5: true
ubtu18cis_rule_1_8_1_6: true
ubtu18cis_rule_1_8_2: true
ubtu18cis_rule_1_9: true
ubtu18cis_rule_2_1_1: true
ubtu18cis_rule_2_1_2: true
ubtu18cis_rule_2_2_1_1: true
ubtu18cis_rule_2_2_1_2: true
ubtu18cis_rule_2_2_1_3: true
ubtu18cis_rule_2_2_1_4: true
ubtu18cis_rule_2_2_2: true
ubtu18cis_rule_2_2_3: true
ubtu18cis_rule_2_2_4: true
ubtu18cis_rule_2_2_5: true
ubtu18cis_rule_2_2_6: true
ubtu18cis_rule_2_2_7: true
ubtu18cis_rule_2_2_8: true
ubtu18cis_rule_2_2_9: true
ubtu18cis_rule_2_2_10: true
ubtu18cis_rule_2_2_11: true
ubtu18cis_rule_2_2_12: true
ubtu18cis_rule_2_2_13: true
ubtu18cis_rule_2_2_14: true
ubtu18cis_rule_2_2_15: true
ubtu18cis_rule_2_2_16: true
ubtu18cis_rule_2_2_17: true
ubtu18cis_rule_2_3_1: true
ubtu18cis_rule_2_3_2: true
ubtu18cis_rule_2_3_3: true
ubtu18cis_rule_2_3_4: true
ubtu18cis_rule_2_3_5: true
Section 3 Fixes
Section 3 is Network Configuration (network parameters(host), network parameters (host and router), tcp rappers, uncommon network protocols, and firewall configuration)
ubtu18cis_rule_3_1_1: true
ubtu18cis_rule_3_1_2: true
ubtu18cis_rule_3_2_1: true
ubtu18cis_rule_3_2_2: true
ubtu18cis_rule_3_2_3: true
ubtu18cis_rule_3_2_4: true
ubtu18cis_rule_3_2_5: true
ubtu18cis_rule_3_2_6: true
ubtu18cis_rule_3_2_7: true
ubtu18cis_rule_3_2_8: true
ubtu18cis_rule_3_2_9: true
ubtu18cis_rule_3_3_1: true
ubtu18cis_rule_3_3_2: true
ubtu18cis_rule_3_3_3: true
ubtu18cis_rule_3_3_4: true
ubtu18cis_rule_3_3_5: true
ubtu18cis_rule_3_4_1: true
ubtu18cis_rule_3_4_2: true
ubtu18cis_rule_3_4_3: true
ubtu18cis_rule_3_4_4: true
ubtu18cis_rule_3_5_1_1: true
ubtu18cis_rule_3_5_2_1: true
ubtu18cis_rule_3_5_2_2: true
ubtu18cis_rule_3_5_2_3: true
ubtu18cis_rule_3_5_2_4: true
ubtu18cis_rule_3_5_2_5: true
ubtu18cis_rule_3_5_3_1: true
ubtu18cis_rule_3_5_3_2: true
ubtu18cis_rule_3_5_3_3: true
ubtu18cis_rule_3_5_3_4: true
ubtu18cis_rule_3_5_3_5: true
ubtu18cis_rule_3_5_3_6: true
ubtu18cis_rule_3_5_3_7: true
ubtu18cis_rule_3_5_3_8: true
ubtu18cis_rule_3_5_4_1_1: true
ubtu18cis_rule_3_5_4_1_2: true
ubtu18cis_rule_3_5_4_1_3: true
ubtu18cis_rule_3_5_4_1_4: true
ubtu18cis_rule_3_5_4_2_1: true
ubtu18cis_rule_3_5_4_2_2: true
ubtu18cis_rule_3_5_4_2_3: true
ubtu18cis_rule_3_5_4_2_4: true
ubtu18cis_rule_3_6: true
ubtu18cis_rule_3_7: true
Section 4 Fixes
Section 4 is Logging and Auditing (configure system accounting and configure logging)
ubtu18cis_rule_4_1_1_1: true
ubtu18cis_rule_4_1_1_2: true
ubtu18cis_rule_4_1_1_3: true
ubtu18cis_rule_4_1_1_4: true
ubtu18cis_rule_4_1_2_1: true
ubtu18cis_rule_4_1_2_2: true
ubtu18cis_rule_4_1_2_3: true
ubtu18cis_rule_4_1_3: true
ubtu18cis_rule_4_1_4: true
ubtu18cis_rule_4_1_5: true
ubtu18cis_rule_4_1_6: true
ubtu18cis_rule_4_1_7: true
ubtu18cis_rule_4_1_8: true
ubtu18cis_rule_4_1_9: true
ubtu18cis_rule_4_1_10: true
ubtu18cis_rule_4_1_11: true
ubtu18cis_rule_4_1_12: true
ubtu18cis_rule_4_1_13: true
ubtu18cis_rule_4_1_14: true
ubtu18cis_rule_4_1_15: true
ubtu18cis_rule_4_1_16: true
ubtu18cis_rule_4_1_17: true
ubtu18cis_rule_4_2_1_1: true
ubtu18cis_rule_4_2_1_2: true
ubtu18cis_rule_4_2_1_3: true
ubtu18cis_rule_4_2_1_4: true
ubtu18cis_rule_4_2_1_5: true
ubtu18cis_rule_4_2_1_6: true
ubtu18cis_rule_4_2_2_1: true
ubtu18cis_rule_4_2_2_2: true
ubtu18cis_rule_4_2_2_3: true
ubtu18cis_rule_4_2_3: true
ubtu18cis_rule_4_3: true
Section 5 Fixes
Section 5 is Acces, Authentication, and Authorization (configure cron, SSH server config, configure PAM
and user accounts and environment)
ubtu18cis_rule_5_1_1: true
ubtu18cis_rule_5_1_2: true
ubtu18cis_rule_5_1_3: true
ubtu18cis_rule_5_1_4: true
ubtu18cis_rule_5_1_5: true
ubtu18cis_rule_5_1_6: true
ubtu18cis_rule_5_1_7: true
ubtu18cis_rule_5_1_8: true
ubtu18cis_rule_5_2_1: true
ubtu18cis_rule_5_2_2: true
ubtu18cis_rule_5_2_3: true
ubtu18cis_rule_5_2_4: true
ubtu18cis_rule_5_2_5: true
ubtu18cis_rule_5_2_6: true
ubtu18cis_rule_5_2_7: true
ubtu18cis_rule_5_2_8: true
ubtu18cis_rule_5_2_9: true
ubtu18cis_rule_5_2_10: true
ubtu18cis_rule_5_2_11: true
ubtu18cis_rule_5_2_12: true
ubtu18cis_rule_5_2_13: true
ubtu18cis_rule_5_2_14: true
ubtu18cis_rule_5_2_15: true
ubtu18cis_rule_5_2_16: true
ubtu18cis_rule_5_2_17: true
ubtu18cis_rule_5_2_18: true
ubtu18cis_rule_5_2_19: true
ubtu18cis_rule_5_2_20: true
ubtu18cis_rule_5_2_21: true
ubtu18cis_rule_5_2_22: true
ubtu18cis_rule_5_2_23: true
ubtu18cis_rule_5_3_1: true
ubtu18cis_rule_5_3_2: true
ubtu18cis_rule_5_3_3: true
ubtu18cis_rule_5_3_4: true
ubtu18cis_rule_5_4_1_1: true
ubtu18cis_rule_5_4_1_2: true
ubtu18cis_rule_5_4_1_3: true
ubtu18cis_rule_5_4_1_4: true
ubtu18cis_rule_5_4_1_5: true
ubtu18cis_rule_5_4_1: true
ubtu18cis_rule_5_4_2: true
ubtu18cis_rule_5_4_3: true
ubtu18cis_rule_5_4_4: true
ubtu18cis_rule_5_4_5: true
ubtu18cis_rule_5_5: true
ubtu18cis_rule_5_6: true
Section 6 Fixes
Section 6 is System Maintenance (system file permissions and user and group settings)
ubtu18cis_rule_6_1_1: true
ubtu18cis_rule_6_1_2: true
ubtu18cis_rule_6_1_3: true
ubtu18cis_rule_6_1_4: true
ubtu18cis_rule_6_1_5: true
ubtu18cis_rule_6_1_6: true
ubtu18cis_rule_6_1_7: true
ubtu18cis_rule_6_1_8: true
ubtu18cis_rule_6_1_9: true
ubtu18cis_rule_6_1_10: true
ubtu18cis_rule_6_1_11: true
ubtu18cis_rule_6_1_12: true
ubtu18cis_rule_6_1_13: true
ubtu18cis_rule_6_1_14: true
ubtu18cis_rule_6_2_1: true
ubtu18cis_rule_6_2_2: true
ubtu18cis_rule_6_2_3: true
ubtu18cis_rule_6_2_4: true
ubtu18cis_rule_6_2_5: true
ubtu18cis_rule_6_2_6: true
ubtu18cis_rule_6_2_7: true
ubtu18cis_rule_6_2_8: true
ubtu18cis_rule_6_2_9: true
ubtu18cis_rule_6_2_10: true
ubtu18cis_rule_6_2_11: true
ubtu18cis_rule_6_2_12: true
ubtu18cis_rule_6_2_13: true
ubtu18cis_rule_6_2_14: true
ubtu18cis_rule_6_2_15: true
ubtu18cis_rule_6_2_16: true
ubtu18cis_rule_6_2_17: true
ubtu18cis_rule_6_2_18: true
ubtu18cis_rule_6_2_19: true
ubtu18cis_rule_6_2_20: true
ubtu18cis_allow_autofs: false
ubtu18cis_allow_usb_storage: false
ubtu18cis_avahi_server: false
ubtu18cis_cups_server: false
ubtu18cis_dhcp_server: false
ubtu18cis_ldap_server: false
ubtu18cis_nfs_rpc_server: false
ubtu18cis_dns_server: false
ubtu18cis_vsftpd_server: false
ubtu18cis_httpd_server: false
ubtu18cis_dovecot_server: false
ubtu18cis_smb_server: false
ubtu18cis_squid_server: false
ubtu18cis_snmp_server: false
ubtu18cis_rsync_server: false
ubtu18cis_nis_server: false
ubtu18cis_nis_required: false
ubtu18cis_rsh_required: false
ubtu18cis_talk_required: false
ubtu18cis_telnet_required: false
ubtu18cis_ldap_clients_required: false
ubtu18cis_is_router: false
ubtu18cis_ipv6_required: true
ubtu18cis_desktop_required is the toggle for requiring desktop environments. True means you use a desktop and will not disable/remove needed items to run a desktop (not recommented for servers)
false means you do not require a desktop
ubtu18cis_desktop_required: false
Control 1.1.2/1.1.3/1.1.4/1.1.5
ubtu18cis_tmp_fstab_options are the file system options for the fstabs configuration
To conform to CIS cotnrol 1.1.2 could use any settings
To conform to CIS control 1.1.3 nodev needs to be present
To conform to CIS control 1.1.4 nosuid needs to be present
To conform to CIS control 1.1.5 noexec needs to present
ubtu18cis_tmp_fstab_options: "defaults,rw,nosuid,nodev,noexec,relatime"
Control 1.1.8/1.1.9/1.1.10
These are the settings for the /var/tmp mount
To conform to CIS control 1.1.8 nodev needs to be present in opts
To conform to CIS control 1.1.9 nosuid needs to be present in opts
To conform to CIS control 1.1.10 noexec needs to be present in opts
ubtu18cis_vartmp:
source: /tmp
fstype: none
opts: "defaults,nodev,nosuid,noexec,bind"
enabled: false
Control 1.3.1
ubtu18cis_sudo_package is the name of the sudo package to install
The possible values are "sudo" or "sudo-ldap"
ubtu18cis_sudo_package: "sudo"
ubtu18cis_sudo_logfile: "/var/log/sudo.log"
ubtu18cis_aide_cron:
cron_user: root
cron_file: /etc/crontab
aide_job: '/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check'
aide_minute: 0
aide_hour: 5
aide_day: '*'
aide_month: '*'
aide_weekday: '*'
ubtu18cis_bootloader_password: random
ubtu18cis_set_boot_pass: false
Control 1.5.3
THIS VARAIBLE SHOULD BE CHANGED AND INCORPROATED INTO VAULT
THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
ubtu18cis_root_pw: "Password1"
Control 1.8.1.1
This will be the motd banner must not contain the below items in order to be compliant with Ubuntu 18 CIS
\m, \r, \s, \v or references to the OS platform
ubtu18cis_warning_banner: |
'Authorized uses only. All activity may be monitored and reported.'
Control 2.2.1.1
ubtu18cis_time_sync_tool is the tool in which to synchronize time
The two options are chrony or ntp
ubtu18cis_time_sync_tool: "ntp"
ubtu18cis_chrony_server_options: "minpoll 8"
ubtu18cis_ntp_server_options: "iburst"
ubtu18cis_time_synchronization_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
Control 3.3.2
values for the /etc/hosts.allow file for IP addresses permitted to connect to the host.
ubtu18cis_host_allow:
- "10.0.0.0/255.0.0.0"
- "172.16.0.0/255.240.0.0"
- "192.168.0.0/255.255.0.0"
Control 3.5.1.1
ubtu18cis_firewall_package is the firewall package you will be using.
the options are ufw, nftables, or iptables
you much chose only one firewall package
ubtu18cis_firewall_package: "ufw"
ubtu18cis_iptables_v6 toggles iptables vs ip6tables CIS firewall rules and is used with
variable ubtu18cis_firewall_package set to iptables
ubtu18cis_iptables_v6: true
Controls 3.5.4.1.1 through 3.5.4.1.4
The iptables module only writes to memory which means a reboot could revert settings
The below toggle will install iptables-persistent and save the rules in memory (/etc/iptables/rules.v4 or rules.v6)
This makes the CIS role changes permenant
ubtu18cis_save_iptables_cis_rules: true
Control 3.5.2.4
ubtu18cis_ufw_allow_out_ports are the ports for the firewall to allow if you want to allow out on all ports set variable to "all", example ubtu18cis_ufw_allow_out_ports: all
# ubtu18cis_ufw_allow_out_ports: all
ubtu18cis_ufw_allow_out_ports:
- 53
- 80
- 443
Control 3.5.3.2
ubtu18cis_nftables_table_name is the name of the table in nftables you want to create
the default nftables table name is inet filter. This variable name will be the one all
nftables configs are applied to
ubtu18cis_nftables_table_name: "inet filter"
Control 4.1.1.4
ubtu18cis_audit_back_log_limit is the audit_back_log limit and should be set to a sufficient value
The example from CIS uses 8192
ubtu18cis_audit_back_log_limit: 8192
Control 4.1.2.1
ubtu18cis_max_log_file_size is largest the log file will become in MB
This shoudl be set based on your sites policy
ubtu18cis_max_log_file_size: 10
ubtu18cis_auditd:
admin_space_left_action: halt
max_log_file_action: keep_logs
Control 4.2.1.3
ubtu18cis_rsyslog_ansible_managed will toggle ansible automated configurations of rsyslog
You should set the rsyslog to your side specific needs. This toggle will use the example from page 347 to set rsyslog loggin based on those configuration suggestions. Settings can be seen in control 4.2.1.3
ubtu18cis_rsyslog_ansible_managed: true
ubtu18cis_remote_log_server: 192.168.2.100
ubtu18cis_system_is_log_server: true
Control 4.3
ubtu18cis_logrotate is the log rotate frequencey. Options are daily, weekly, monthly, and yearly
ubtu18cis_logrotate: "daily"
ubtu18cis_sshd will contain all sshd variables. The task association and variable descriptions for each section are listed below
Control 5.2.5
log_level is the log level variable. This needs to be set to VERBOSE or INFO to conform to CIS standards
Control 5.2.7
max_auth_tries is the max number of authentication attampts per connection. This value should be 4 or less to conform to CIS standards
Control 5.2.13
ciphers is a comma seperated list of site approved ciphers
ONLY USE STRONG CIPHERS. Weak ciphers are listed below
DO NOT USE: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, arcfour, arcfour128, arcfour256, blowfish-cbc, cast128-cbc, rijndael-cbc@lysator.liu.se
Control 5.2.14
MACs is the comma seperated list of site approved MAC algorithms that SSH can use during communication
ONLY USE STRONG ALGORITHMS. Weak algorithms are listed below
DO NOT USE: hmac-md5, hmac-md5-96, hmac-ripemd160, hmac-sha1, hmac-sha1-96, umac-64@openssh.com, umac-128@openssh.com, hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha1-96-etm@openssh.com, umac-64-etm@openssh.com, umac-128-etm@openssh.com
Control 5.2.15
kex_algorithms is comma seperated list of the algorithms for key exchange methods
ONLY USE STRONG ALGORITHMS. Weak algorithms are listed below
DO NOT USE: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
Control 5.2.16
client_alive_interval is the amount of time idle before ssh session terminated. Set to 300 or less to conform to CIS standards
client_alive_count_max will send client alive messages at the configured interval. Set to 3 or less to conform to CIS standards
Control 5.2.17
login_grace_time is the time allowed for successful authentication to the SSH server. This needs to be set to 60 seconds or less to conform to CIS standards
Control 5.2.23
max_sessions is the max number of open sessions permitted. Set the value to 4 or less to conform to CIS standards
ubtu18cis_sshd:
log_level: "INFO"
max_auth_tries: 4
ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
client_alive_interval: 300
client_alive_count_max: 0
login_grace_time: 60
max_sessions: 4
# WARNING: make sure you understand the precedence when working with these values!!
# allow_users and allow_groups can be single user/group or multiple users/groups. For multiple list them with a space seperating them
allow_users: "vagrant ubuntu"
allow_groups: "vagrant ubuntu"
# deny_users:
# deny_groups:
Control 5.3.3
ubtu18cis_pamd_pwhistory_remember is number of password chnage cycles a user can re-use a password
This needs to be 5 or more to conform to CIS standards
ubtu18cis_pamd_pwhistory_remember: 5
ubtu18cis_pass will be password based variables
Control 5.4.1.1
max_days forces passwords to expire in configured number of days. Set to 365 or less to conform to CIS standards
Control 5.4.1.2
pass_min_days is the min number of days allowed between changing passwords. Set to 1 or more to conform to CIS standards
Control 5.4.1.3
warn_age is how many days before pw expiry the user will be warned. Set to 7 or more to conform to CIS standards
Control 5.4.1.4
inactive the number of days of inactivity before the account will lock. Set to 30 day sor less to conform to CIS standards
ubtu18cis_pass:
max_days: 365
min_days: 1
warn_age: 7
inactive: 30
Control 5.4.5
Session timeout setting file (TMOUT setting can be set in multiple files)
Timeout value is in seconds. Set value to 900 seconds or less
ubtu18cis_shell_session_timeout:
file: /etc/profile.d/tmout.sh
timeout: 900
ubtu18cis_su_group: "wheel"
Control 6.1.10
ubtu18cis_no_world_write_adjust will toggle the automated fix to remove world-writable perms from all files<br<Setting to true will remove all world-writable permissions, and false will leave as-is
ubtu18cis_no_world_write_adjust: true
ubtu18cis_unowned_owner: root
ubtu18cis_no_owner_adjust will toggle the automated fix to give a user to unowned files/directories
true will give the owner from ubtu18cis_un_owned_owner to all unowned files/directories and false will skip
ubtu18cis_no_owner_adjust: true
ubtu18cis_ungrouped_group: root
ubtu18cis_no_group_adjust will toggle the automated fix to give a group to ungrouped files/directories
true will give the group from ubtu18cis_un_owned_group to all ungrouped files/directories and false will skip
ubtu18cis_no_group_adjust: true
Cotnrol 6.1.13
ubtu18cis_suid_adjust is the toggle to remove the SUID bit from all files on all mounts
Set to true this role will remove that bit, set to false we will just warn about the files
ubtu18cis_suid_adjust: false
Control 6.2.9 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable
ubtu18cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"