-
Notifications
You must be signed in to change notification settings - Fork 16
/
pillar-example.cis.sls
89 lines (75 loc) · 3.42 KB
/
pillar-example.cis.sls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
company: Company Name
sysadmin: Your Name
sysadmin_email: [email protected]
file_header: "** THIS FILE IS MANAGED BY SALT; CHANGES WILL BE OVERWRITTEN **"
## CIS Package Management:
# These are the default CIS packages to be removed:
# You can edit this list accordingly:
# WARNING: if this variable doesn't exist in your pillar
# all CIS packages marked to be removed will be purged.
# Look at the "default_cis_pkgs_to_remove" variable in the cis.sls
cis_pkgs_to_remove:
- xinetd
- telnet
- telnet-server
- krb5-workstation
- rsh-server
- rsh
- tftp-server
- sendmail
- dhcp
- gnome-user-share
- isdn4k-utils
- irda-utils
- talk
- ipsec-tools
- pam_ccreds
- openswan
- sysklogd
- openldap-servers
- openldap-clients
- setroubleshoot
- bind
- vsftpd
- httpd
- dovecot
- samba
- squid
- net-snmp
# You can skip certain pkgs like this:
# {% if 'webserver' not in grains['id'] %}
# - httpd
# {% endif %}
## 1.2.2 Verify Red Hat GPG Key is Installed
RedHat_gpg_keys:
RPM-GPG-KEY-redhat-release: "567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51"
RPM-GPG-KEY-redhat-legacy-release: "47DB 2877 89B2 1722 B6D9 5DDE 5326 8101 3701 7186"
RPM-GPG-KEY-redhat-legacy-former: "CA20 8686 2BD6 9DFC 65F6 ECC4 2191 80CD DB42 A60E"
RPM-GPG-KEY-redhat-legacy-rhx: "01AD EFD1 5A95 AE43 14DE 83C2 39A1 3A12 4219 3E6B"
CentOS_gpg_keys:
RPM-GPG-KEY-CentOS-6: "C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE"
epel_gpg_keys:
RPM-GPG-KEY-EPEL-6: "8C3B E96A F230 9184 DA5C 0DAE 3B49 DF2A 0608 B895"
## 1.5.3 Set Boot Loader Password
grub_change_password: no
# Default grub_change_password: "password"; please change this
grub_md5_password: $1$zH9/LuR8$mSaGkvtLcwf7U6iy/KudL1
## 3.6 Configure Network Time Protocol (NTP)
# You should change this servers if you have local ntp servers in your organization
ntp_servers:
primary: 0.pool.ntp.org
secondary: 1.pool.ntp.org
tertiary: 2.pool.ntp.org
forth: 3.pool.ntp.org
## 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host
rsyslog_server: syslog-server.example.com
## 8.1 Set Warning Banner for Standard Login Services (Scored)
motd_msg: "\n-- WARNING --\nThis system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their\nauthority are subject to having all their activities on this system\nmonitored and recorded by system personnel. Anyone using this\nsystem expressly consents to such monitoring and is advised that\nif such monitoring reveals possible evidence of criminal activity\nsystem personal may provide the evidence of such monitoring to law\nenforcement officials."
issue_msg: "\n-- WARNING --\nThis system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their\nauthority are subject to having all their activities on this system\nmonitored and recorded by system personnel. Anyone using this\nsystem expressly consents to such monitoring and is advised that\nif such monitoring reveals possible evidence of criminal activity\nsystem personal may provide the evidence of such monitoring to law\nenforcement officials."
## 4.4 Disable IPv6
enable_ipv6: no
## 4.5.2 Create /etc/hosts.allow
## Opening to all local private networks by default
hosts_allow_subnet: "10.0.0.0/255.0.0.0, 172.16.0.0/255.240.0.0, 192.168.0.0/255.255.0.0"
## Extra options for NTP, default is empty -- this is to use, for example, -g
ntpd_extraopts: ''