# sudo log file path # (CIS rule 1.3.3) sudo_log=/var/log/sudo.log # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password # is not set. # (CIS rule 1.5.2) grub_hash= # Grub user set for authentication grub_user=ubuntu # Hash which can be created by the "openssl passwd -6" command to set the root user # password. If empty, the root password is unchanged. # (CIS rule 1.5.3) root_hash= # If set to "true", AppArmor profiles will be set into enforce mode even on level 1 CIS # profiles. Otherwise, they will be set into complain mode on level 1 CIS profiles. # (CIS rule 1.7.1.3) lvl1_apparmor_enforce=false # Time synchronization service selected (ntp or chrony - if empty, none will be installed) # (CIS rule 2.2.1.1, 2.2.1.3, 2.2.1.4) time_sync_svc=chrony time_sync_addr=pool.ntp.org # Audit log storage size, before log is automatically rotated # (CIS rule 4.1.2.1) max_log_file=8 # Remote log host address (CIS rule 4.2.1.5) # Use the format loghost.example.com:554, to define the port. If empty, none will be configured remote_log_server= # SSH server log level (CIS rule 5.2.4) # Only two options are allowed: VERBOSE and INFO. If empty, INFO will be selected by default. ssh_log_level=VERBOSE # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.17) AllowUsers= AllowGroups= DenyUsers= DenyGroups= # Max number of open sessions permitted from a ssh connection (CIS rule 5.2.22) # CIS benchmark requires it to be 4 or less, so anything above that number # is ignored by this script. If empty, this rule is not applied. ssh_max_sessions=10 # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1) # If the parameter is empty, it isn't added to the /etc/security/pwquality.conf file minlen=14 minclass=4 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 # Unowned files will be changed to this user (CIS rule 6.1.11) unowned_user=root # Ungrouped files will be changed to this user (CIS rule 6.1.12) unowned_group=root # Delete files in the home directory which violate CIS rules (CIS rules 6.2.8, 6.2.9, 6.2.11) delete_user_files=true # Rulesets for Custom profile ruleset1="1.1.1.1 1.1.1.2" ruleset2="2.2.1.4 2.2.3 2.2.5" #ruleset3="" #ruleset4="" #ruleset5="" #ruleset6=""