checklist.yml

---
# My example
filesystem:
  # 1.1.1.1 
  disable_cramfs_filesystem: yes
  # 1.1.1.2 
  disable_freevxfs_filesystem: yes
  # 1.1.1.3 
  disable_jffs2_filesystem: yes
  # 1.1.1.4 
  disable_hfs_filesystem: yes
  # 1.1.1.5 
  disable_hfsplus_filesystem: yes
  # 1.1.1.6 
  disable_squashfs_filesystem: yes
  # 1.1.1.7 
  disable_udf_filesystem: yes
  # 1.1.1.8 
  disable_vfat_filesystem: yes

  # 1.1.2
  tmp_partition_create: yes
  # 1.1.3
  tmp_partition_nodev: yes
  # 1.1.4
  tmp_partition_nosuid: yes
  # 1.1.5
  tmp_partition_noexec: no

  # 1.1.7
  var_tmp_partition_create: yes
  # 1.1.8
  var_tmp_partition_nodev: no
  # 1.1.9
  var_tmp_partition_nosuid: yes
  # 1.1.10
  var_tmp_partition_noexec: yes

  #1.1.14
  home_partition_nodev: no

  #1.1.15
  dev_shm_nodev: no
  #1.1.16
  dev_shm_nosuid: yes
  #1.1.17
  dev_shm_noexec: no

  #1.1.18
  removable_medias_nodev: yes
  #1.1.19
  removable_medias_nosuid: no
  #1.1.20
  removable_medias_noexec: yes

  #1.1.21
  sticky_bit_world_writable_dirs: yes


integr_check:
  #1.3.1
  install_aide: yes
  #1.3.2
  regular_check: yes


bootloader:
  #1.4.1
  file_perm: yes
  #1.4.1
  grub_pass: yes
  #1.4.1
  single_user_mode_pass: yes


addit_proc_harden:
  #1.5.1
  disable_core_dumps: yes
  #1.5.3
  enable_aslr: yes
  #1.5.4
  disable_prelink: yes


warn_banner:
  #1.7.1.1
  message_day: yes
  #1.7.1.2
  local_login: yes
  #1.7.1.3
  remote_login: yes
  #1.7.2
  gdm: yes


#1.8
update_patch: yes

auditd:
  install: yes
  # 4.1.1.1
  configure_log_storage_size: yes
  # 4.1.1.2
  disable_system: yes
  # 4.1.3
  save_logs: yes

  # 4.1.2
  enable_service: yes
  # 4.1.3
  process_prior_auditd: yes
  # 4.1.4
  date_time: yes
  #4.1.5
  user_group: yes
  #4.1.6
  network_environ: yes
  #4.1.7
  mac: yes
  #4.1.8
  login_logout: yes
  #4.1.9
  session_init: yes
  #4.1.10
  dac: yes
  #4.1.11
  unsuccess_file_access: yes
  #4.1.12
  priv_commands: yes
  #4.1.13
  success_mount: yes
  #4.1.14
  file_delete: yes
  #4.1.15
  sudoers: yes
  #4.1.16
  sudo_log: yes
  #4.1.17
  module_load_unload: yes
  # #4.1.18
  immutable: yes

log:
  #4.2.3
  # install: yes

  #4.2.1.1
  enable_rsyslog: yes
  #4.2.1.2
  config_rsyslog: yes
  #4.2.1.3
  rsyslog_file_perm: yes

  #4.2.2.1
  enable_syslogng: yes
  #4.2.2.2
  config_syslogng: yes
  #4.2.2.3
  syslogng_file_perm: yes

  #4.2.4
  file_perm: yes

  #4.3
  logrotate: yes


# Your example.
ssh:
  # This will be hardened. You have to do a check in your task to this variable.
  # The check in the task is done like this : when: sshd.protocole_version_2
  protocole_version_2: yes
  # This won't be hardened
  log_level_info: no
  disable_x11_forwarding: yes
  enable_IgnoreRhosts: yes
  disable_HostbasedAuthentication: yes
  disable_root_login: no
  ssh_limit: no
  set_ClientAliveInterval_300_and_ClientAliveCountMax_4: yes
  set_LoginGraceTime_1minute: no


pam:
  allow_3_tries_before_failure: yes
  set_policy: yes
  lockout_failed_attempts: yes
  password_reuse_limit_and_sha512_as_default: no


services:
  # 2.1 inetd services
  disable_chargen_service: yes
  disable_daytime_service: yes
  disable_discard_service: yes
  disable_echo_service: yes
  disable_time_service: yes
  disable_tftp_service: yes
  disable_xinetd_service: yes

  # 2.2 server services (special purpose services)
  disable_x_windows: yes
  disable_avahi_server: no
  disable_cups: yes
  disable_dhcp_server: no
  disable_ldap_server: yes
  disable_nfs: no
  disable_nfs_server: yes
  disable_rpc: yes
  disable_dns_server: no
  disable_ftp_server: no
  disable_http_server: yes
  disable_imap_pop3: yes
  disable_http_proxy_server: yes
  disable_snmp: yes
  disable_nis: no
  disable_samba_server: yes
  disable_talk_server: no
  disable_telnet_server: yes
  disable_tftp_server: yes
  disable_rsync: yes
  
  # 2.3 services client
  uninstall_ypbind: yes
  uninstall_rsh: yes
  uninstall_talk: yes
  uninstall_telnet: yes
  uninstall_openldap_clients: yes

  configure_chrony: no
  configure_ntp: yes


network:
  # IPV4
  disable_ip_forwarding: yes
  disable_packet_redirect: yes

  # IPV6
  ignore_router_advertisements_ipv6: yes
  ignore_packet_redirect_ipv6: yes
  deactivate_ipv6: yes

  # Uncommon network protocols
  disable_dccp: yes
  disable_sctp: yes
  disable_rds: yes
  disable_tipc: yes

  # firewall
  configure_loopback_traffic: yes
  configure_iptables: yes

  # tcp wrappers
  install_tcp_wrappers: yes
  configure_outbound_established_connections: yes

  ignore_source_routed_packets: yes
  ignore_icmp_redirects: yes
  ignore_secure_icmp_redirects: yes
  log_suspicious_packets: yes
  ignore_broadcast_icmp: yes
  ignore_bogus_icmp: yes
  reverse_path_filtering: yes
  tcp_syn_cookies: yes


user_and_accounts:
  passwd_expiration: yes
  min_between_passwd_change: yes
  passwd_expriration_warning: yes
  inactive_account_lock: yes

  default_group_root_0: yes
  user_shell_timeout: yes
  restricted_root_login_physical_consoles: yes
  restricted_su: yes